Ubuntu
knot-resolver package

icann-ca.pem missing from package

Bug #1754774 reported by Daniel Aleksandersen on 2018-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	knot-resolver (Ubuntu)	New	Undecided	Unassigned

Bug Description

Ubuntu’s distribution of knot-resolver is missing /etc/knot-resolver/icann-ca.pem.

Without this file at this hardcoded location (/usr/lib/knot-resolver/trust_anchors.lua:458), DNSSEC bootstrapping doesn’t work. The file is included in Debian and Fedora, but not Ubuntu.

https://packages.debian.org/buster/amd64/knot-resolver/filelist
https://packages.ubuntu.com/bionic/amd64/knot-resolver/filelist

Revision history for this message

dkg (dkg0) wrote on 2018-11-30:

On a well-managed system, DNSSEC resolution should depend on the system-installed and system-maintained DNSSEC root, not on using icann-ca.pem for individual packages to separately update their root stores via sidechannel mechanisms.

Recent versions of knot-resolver should depend directly on the dns-root-data package, and should learn DNS roots from there. if they do not, then please report that as a bug.

But i think shipping /etc/knot-resolver/icann-ca.pem would be a mistake. (also, we do not ship it in debian)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuknot-resolver package

icann-ca.pem missing from package

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
knot-resolver package