[GH-ISSUE #2855] Use system root DNSSEC keys instead of hardcoding keys #1076

New issue

Closed

opened 2026-03-16 01:33:31 +03:00 by kerem · 3 comments

kerem commented

2026-03-16 01:33:31 +03:00

Owner

Originally created by @WhyNotHugo on GitHub (Mar 16, 2025).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2855

Is your feature request related to a problem? Please describe.

I'm working on pimsync, a tool to synchronise calendars and contacts. I use DNS service discovery to find the location CalDAV and CardDAV servers.

My current implementation doesn't do DNSSEC validation and merely tells users that they are responsible for using a validating revolver. I'd like to use hickory-resolver to resolve the SRV records and ensure that DNSSEC is used

The docs indicates that hickory-resolver hard-codes the roots into the system (I suppose "system" here means "the compiled binary"). This isn't suitable for a re-distributable project like this, since it unconditionally overrides the system's local security configuration with a vendored policy. I need to use the system's local DNSSEC root (e.g.: from /usr/share/dnssec-root/trusted-key.key).

Describe the solution you'd like

A feature flag to use the system's local DNSSEC roots.

Describe alternatives you've considered

Embedding the roots statically as done now. This ignores any local configuration which the user may have performed, like adding their own roots for a specific domain.

Additional context

Originally created by @WhyNotHugo on GitHub (Mar 16, 2025). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2855 **Is your feature request related to a problem? Please describe.** I'm working on [pimsync](https://pimsync.whynothugo.nl/), a tool to synchronise calendars and contacts. I use DNS service discovery to find the location CalDAV and CardDAV servers. My current implementation doesn't do DNSSEC validation and merely tells users that they are responsible for using a validating revolver. I'd like to use hickory-resolver to resolve the SRV records and ensure that DNSSEC is used The docs indicates that hickory-resolver hard-codes the roots into the system (I suppose "system" here means "the compiled binary"). This isn't suitable for a re-distributable project like this, since it unconditionally overrides the system's local security configuration with a vendored policy. I need to use the system's local DNSSEC root (e.g.: from `/usr/share/dnssec-root/trusted-key.key`). **Describe the solution you'd like** A feature flag to use the system's local DNSSEC roots. **Describe alternatives you've considered** Embedding the roots statically as done now. This ignores any local configuration which the user may have performed, like adding their own roots for a specific domain. **Additional context**

kerem closed this issue

2026-03-16 01:33:37 +03:00

kerem commented

2026-03-16 01:33:42 +03:00

Author

Owner

@djc commented on GitHub (Mar 17, 2025):

Which version did you look at? main has a ResolverOpts::trust_anchor field that I think might do what you need.

@djc commented on GitHub (Mar 17, 2025): Which version did you look at? `main` has a `ResolverOpts::trust_anchor` field that I think might do what you need.

kerem commented

2026-03-16 01:33:47 +03:00

Author

Owner

@WhyNotHugo commented on GitHub (Mar 17, 2025):

That seems to be exactly it. I only checked the README and the docs at docs.rs.

I'll wait for the next release in that case. Thanks!

@WhyNotHugo commented on GitHub (Mar 17, 2025): That seems to be exactly it. I only checked the README and the docs at docs.rs. I'll wait for the next release in that case. Thanks!

kerem commented

2026-03-16 01:33:52 +03:00

Author

Owner

@djc commented on GitHub (Mar 17, 2025):

(See #2206.)

@djc commented on GitHub (Mar 17, 2025): (See #2206.)

kerem referenced this issue

2026-03-16 04:00:20 +03:00

[PR #1076] [CLOSED] Bump regex from 1.3.6 to 1.3.7 #1941