Skip to content

DNSSEC trust anchors outdated (5+ years old) and unused makedepends

Summary

The dnssec-anchors package ships 5+ year old DNSSEC trust anchors from 2019, causing DNSSEC validation warnings in knot-resolver. Additionally, unbound is listed as makedepends but never used in the build process.

Current Issues

  1. Outdated trust anchors: Package uses static file trusted-key-20190629.key from 2019
  2. DNSSEC validation warnings: knot-resolver logs show "flags 256 instead of 257" warnings
  3. Unused makedepends: unbound is listed but no build() function exists to use it

Expected Behavior

  • Fresh DNSSEC trust anchors generated during package build
  • No DNSSEC validation warnings in resolvers
  • makedepends should be actually used or removed

Root Cause

The 2020 "reproducible" change (commit fbc726b3) replaced dynamic trust anchor generation with static files hosted on Arch servers, but these files haven't been updated since 2019.

Related Issues

This addresses the existing confirmed bug report #77100 "unbound set as makedepend but there is not build section" (assigned to Jelle van der Waa):

  • Issue: unbound listed as makedepends but no build() function exists to use it
  • Status: Confirmed bug open for 2+ years (since 2023-01-12)
  • Root cause: The 2020 "reproducible" change removed the build process that used unbound

Our solution resolves both the unused makedepends issue and the outdated trust anchor problem simultaneously by restoring proper build-time trust anchor generation.

Working Solution Available

I have developed, tested, and validated a complete fix that:

  • Generates fresh DNSSEC trust anchors during package build
  • Filters for proper KSK records (flag 257) eliminating SEP bit warnings
  • Uses the existing unbound makedepends properly in a build() function
  • Tested with drill/kdig showing proper DNSSEC validation (ad flag, SERVFAIL for dnssec-failed.org)
  • Ready to submit as merge request

Implementation: Restores dynamic trust anchor generation using the existing dnssec-anchors-versioned.sh logic, integrated into a proper build() function with KSK filtering.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information