On a well-managed system, DNSSEC resolution should depend on the system- installed and system-maintained DNSSEC root, not on using icann-ca.pem for individual packages to separately update their root stores via sidechannel mechanisms.
Recent versions of knot-resolver should depend directly on the dns-root- data package, and should learn DNS roots from there. if they do not, then please report that as a bug. But i think shipping /etc/knot-resolver/icann-ca.pem would be a mistake. (also, we do not ship it in debian) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754774 Title: icann-ca.pem missing from package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/knot-resolver/+bug/1754774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
