Closed HLFH closed 7 years ago
For now we are not able to rely on the system having a trustworthy DNSSEC environment, so we need a validating resolver to do this work. While unbound-python might be overkill, I dont know of other DNSSEC supporting python bindings that would be much smaller. I'm not sure what the status is of DNSSEC for powerdns recursor and/or if they have python bindings. unbound is also more commonly present on a system then pdns. systemd-resolved is also not part of fedora or centos/rhel, and also has various security design decisions that are not really conductive to its use for security related lookups. note you do not need the unbound daemon, only the unbound-libs.
@letoams On ArchLinux
, the unbound
daemon is required for now as you can see in the AUR. On Ubuntu
, it's ok because libunbound2
exists. It's not the case on ArchLinux.
PowerDNS 4.0.x
versions are fully supporting DNSSEC. For example, pdns-recursor
4.0.3 fully supports it.
But I don't see any updated interesting python
bindings related to pdns-recursor
.
What do you think of dnspython
? Is that useful in some way for this issue?
Thanks,
That's an error in the arch package then..... The fedora package only depends on the unbound-libs package:
%if 0%{with_python} %package -n python-unbound Summary: Python 2 modules and extensions for unbound Group: Applications/System Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: unbound-python = %{version}-%{release} Obsoletes: unbound-python < %{version}-%{release}
I dont see why pdns-recursor would more "lighter" then unbound-libs ?
dnspython does not support DNSSEC validation. It depends on the system's resolver doing the validation and setting the AD bit. If that system's resolver is not localhost, we cannot really trust it.
@letoams Ok. Thanks for the details. I will see with the AUR package maintainer of python2-unbound
if he/we can replace the unbound
dependency by a new libunbound2
/unbound-libs
AUR package.
Hi,
Is there an alternative to
python2-unbound
as dependency? It's quite a heavy dependency and apparently, we needunbound
with that! Could we replace it by something? I preferpdns
btw and I don't know if we could replacepython2-unbound
dependency by smth related topdns
. Or doessystemd-resolve
help?Thanks, HLFH