Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Dec 2010 15:15:22 -0800
From:      Doug Barton <dougb@FreeBSD.org>
To:        Garrett Wollman <wollman@hergotha.csail.mit.edu>
Cc:        stable@freebsd.org
Subject:   Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x)
Message-ID:  <4D0D408A.2020802@FreeBSD.org>
In-Reply-To: <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu>
References:  <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 12/18/2010 09:16, Garrett Wollman wrote:
> In article<4D0C49A2.4000203@FreeBSD.org>, dougb@freebsd.org writes:
>
>> In order to avoid repeating the scenario where we have a version of BIND
>> in the base that is not supported by the vendor I am proposing that we
>> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
>
> +1
>
> All users are going to want working DNSsec soon, if they don't
> already, and that requires 9.6.  (In fact, we should start shipping
> with DNSsec enabled by default and the root key pre-configured, if we
> aren't already doing so.)

I'm not planning to do that in the base for a couple of reasons. The 
primary one being that the way BIND 9.6 handles the root key it would 
have to be manually re-configured when the root key changes. When that 
happens (not IF, it will happen someday) users who have the old 
configuration will no longer be able to validate. The other reason I 
don't want to do it in the base is that one open source OS vendor has 
already been burned by doing something similar, and I don't want to 
repeat that mistake.

What I do plan to do (and hopefully before the upcoming release) is to 
make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that 
users can enable and disable it easily, have a very easy way of being 
notified of changes, doing the updates, etc. It's also worth pointing 
out that BIND 9.7 and up support RFC 5011 rollover of the root key, 
which ICANN is going to perform, which means that people with "old" root 
keys in their configurations will be much more resilient.


hth,

Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D0D408A.2020802>