[Dnssec-deployment] DNSSEC4J and trust anchors

Adam Fisk adamfisk at gmail.com
Thu Jan 19 15:06:15 EST 2012

Hi Everyone-

I'm working on a new DNSSEC resolution and verification library that's
open source in java at:


This is designed to be used in any context, such as in client apps.
The main thing I'm wondering is the best way to get the trust anchors
for the root zone. Those keys are rolled periodically, right, so just
embedding them in the jar file download itself is probably a no go?
Should I download and cache them over HTTPS at
https://data.iana.org/root-anchors/? Seems like that begs the question
a bit, especially with DNS poisoning attacks combined with bogus certs
potentially giving bogus trust anchors.

Any better way? If anyone out there feels like helping with code
reviews, that's of course welcome too. This is just a first working
version but likely misses something or a few things. All the code is


This work is made possible with the generous support of the good
people at http://nlnet.nl/.

Thanks very much.

-Adam Fisk
Brave New Software Project, Inc.

More information about the Dnssec-deployment mailing list