[Swan-dev] debian patch for dnssec root.key

Antony Antony antony at phenome.org
Mon Jun 26 08:22:03 UTC 2017

Hi dkg, 

I think Debian will need this patch for pluto to read 
/usr/share/dns/root.key file.
Libreswan default location is a root.key file on Fedora 2x,

I can also imagine Debian has a different file with the latest root key(s),
generated; such as root.anchor file? However, be careful using a root.anchor 
instead of root.key which comes from the package dns-root-data. If the 
root.anchor is not get generated for some reason say no network or no access 
to "." zone pluto may fail. I am not sure how root.anchor is generated.

As far as I see, unbound-anchor does not come with root.key on Debian.

dns-root-data seems to come with root.key file.

Some weird dsl modem/routers may block queries "." zone when they try to do 
more dns magic.

Thanks for testing 3.21rcX on debain.

-------------- next part --------------
>From fdf94f2756d3b3844b8d6fe62286c941d705e59f Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Sat, 24 Jun 2017 00:21:12 +0200
Subject: [PATCH] add dns-root-data dependency and use root.key from it

set Debian location for root.key file when compiling

Signed-off-by: Antony Antony <antony at phenome.org>
 debian/control | 1 +
 debian/rules   | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 4ccc0a590..f7fc6bdb7 100644
--- a/debian/control
+++ b/debian/control
@@ -40,6 +40,7 @@ Pre-Depends:
  debconf | debconf-2.0,
+ dns-root-data,
  iproute2 | iproute (>= 20071016),
diff --git a/debian/rules b/debian/rules
index 54c6baa0a..541801dc6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -33,7 +33,8 @@ override_dh_auto_build:
 		USE_KLIPS=false \
-		USE_DNSSEC=true
+		USE_DNSSEC=true \
+		DEFAULT_DNSSEC_ROOTKEY_FILE=/usr/share/dns/root.key
 	# Add here commands to install the package into debian/libreswan

More information about the Swan-dev mailing list