interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

New recommendations regarding trust anchor management

This commit is contained in:
Willem Toorop 2017-09-21 12:33:19 +02:00
parent 712f62a4c1
commit 90a187a1ac
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Makefile.in
View File

@ -71,21 +71,26 @@ install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@
$(INSTALL) -m 644 $(srcdir)/spec/index.html $(DESTDIR)$(docdir)/spec
cd doc && $(MAKE) install
@echo "***"
@echo "*** !!! IMPORTANT !!!! libgetdns needs a DNSSEC trust anchor!"
@echo "*** !!! IMPORTANT !!!!"
@echo "***"
@echo "*** From release 1.2.0, getdns comes with built-in DNSSEC"
@echo "*** trust anchor management. External trust anchor management,"
@echo "*** for example with unbound-anchor, is no longer necessary"
@echo "*** and no longer recommended."
@echo "***"
@echo "*** Previously installed trust anchors, in the default location -"
@echo "***"
@echo "*** For the library to be able to perform DNSSEC, the root"
@echo "*** trust anchor needs to be present in presentation format"
@echo "*** in the file: "
@echo "*** @TRUST_ANCHOR_FILE@"
@echo "***"
@echo "*** We recomend using unbound-anchor to retrieve and install"
@echo "*** the root trust anchor like this: "
@echo "*** mkdir -p `dirname @TRUST_ANCHOR_FILE@`"
@echo "*** unbound-anchor -a \"@TRUST_ANCHOR_FILE@\""
@echo "*** - will be preferred and used for DNSSEC validation, however"
@echo "*** getdns will fallback to trust-anchors obtained via built-in"
@evho "*** trust anchor management when the anchors from the default"
@echo "*** location fail to validate the root DNSKEY rrset."
@echo "***"
@echo "*** We strongly recommend package maintainers to provide the"
@echo "*** root trust anchor by installing it with unbound-anchor"
@echo "*** at package installation time from the post-install script."
@echo "*** To prevent expired DNSSEC trust anchors to be used for"
@echo "*** validation, we strongly recommend removing the trust anchors"
@echo "*** on the default location when there is no active external"
@echo "*** trust anchor management keeping it up-to-date."
@echo "***"
uninstall: @UNINSTALL_GETDNS_QUERY@