Shipping and rotating of DNSSEC keys in distribution
Based on a report on our forum it is being said that DNS resolvers, which we are using in Turris OS and taking care of it in our turris-os-packages
specific feed are looking for actual DNSSSEC keys and even if it is valid it writes every 30 minutes to eMMC, which is not good behavior and approach.
@vcunat said that DNSSEC keys should be packaged as static and updates as normal package data as they do for most other distributions. While taking a look at how others are doing that in OpenWrt, I checked that unbound and also bind are doing that as well.
Proof: https://github.com/openwrt/packages/blob/master/net/unbound/files/root.key and https://github.com/openwrt/packages/blob/master/net/bind/files/bind/bind.keys
DNSSEC keys are not refreshed so often and for it, I propose this solution:
- Don't write every 30 minutes to eMMC to check root key, remove package dnssec-rootkey and do it how it is common in other distributions. With the resolver package, ship the DNSSEC key as well and backup of DNSSEC could be improved. Related a little bit to https://gitlab.labs.nic.cz/turris/turris-os-packages/issues/489
cc: @kkoci , @vcunat, @jpavlinec