[Question] Is there an alternative to python2-unbound as dependency?

[HLFH]

Hi,

Is there an alternative to python2-unbound as dependency? It's quite a heavy dependency and apparently, we need unbound with that! Could we replace it by something? I prefer pdns btw and I don't know if we could replace python2-unbound dependency by smth related to pdns. Or does systemd-resolve help?

Thanks, HLFH

[letoams]

For now we are not able to rely on the system having a trustworthy DNSSEC environment, so we need a validating resolver to do this work. While unbound-python might be overkill, I dont know of other DNSSEC supporting python bindings that would be much smaller. I'm not sure what the status is of DNSSEC for powerdns recursor and/or if they have python bindings. unbound is also more commonly present on a system then pdns. systemd-resolved is also not part of fedora or centos/rhel, and also has various security design decisions that are not really conductive to its use for security related lookups. note you do not need the unbound daemon, only the unbound-libs.

[HLFH]

@letoams On ArchLinux, the unbound daemon is required for now as you can see in the AUR. On Ubuntu, it's ok because libunbound2 exists. It's not the case on ArchLinux. PowerDNS 4.0.x versions are fully supporting DNSSEC. For example, pdns-recursor 4.0.3 fully supports it. But I don't see any updated interesting python bindings related to pdns-recursor.

What do you think of dnspython? Is that useful in some way for this issue?

Thanks,

[letoams]

That's an error in the arch package then..... The fedora package only depends on the unbound-libs package:

%if 0%{with_python} %package -n python-unbound Summary: Python 2 modules and extensions for unbound Group: Applications/System Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: unbound-python = %{version}-%{release} Obsoletes: unbound-python < %{version}-%{release}

I dont see why pdns-recursor would more "lighter" then unbound-libs ?

dnspython does not support DNSSEC validation. It depends on the system's resolver doing the validation and setting the AD bit. If that system's resolver is not localhost, we cannot really trust it.

[HLFH]

@letoams Ok. Thanks for the details. I will see with the AUR package maintainer of python2-unbound if he/we can replace the unbound dependency by a new libunbound2/unbound-libs AUR package.