From owner-freebsd-stable@FreeBSD.ORG Sat Dec 18 23:15:25 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BBD71065670 for ; Sat, 18 Dec 2010 23:15:25 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 072F98FC13 for ; Sat, 18 Dec 2010 23:15:24 +0000 (UTC) Received: (qmail 21431 invoked by uid 399); 18 Dec 2010 23:15:24 -0000 Received: from localhost (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 18 Dec 2010 23:15:24 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4D0D408A.2020802@FreeBSD.org> Date: Sat, 18 Dec 2010 15:15:22 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20101210 Thunderbird/3.1.7 MIME-Version: 1.0 To: Garrett Wollman References: <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu> In-Reply-To: <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu> X-Enigmail-Version: 1.1.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: stable@freebsd.org Subject: Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2010 23:15:25 -0000 On 12/18/2010 09:16, Garrett Wollman wrote: > In article<4D0C49A2.4000203@FreeBSD.org>, dougb@freebsd.org writes: > >> In order to avoid repeating the scenario where we have a version of BIND >> in the base that is not supported by the vendor I am proposing that we >> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. > > +1 > > All users are going to want working DNSsec soon, if they don't > already, and that requires 9.6. (In fact, we should start shipping > with DNSsec enabled by default and the root key pre-configured, if we > aren't already doing so.) I'm not planning to do that in the base for a couple of reasons. The primary one being that the way BIND 9.6 handles the root key it would have to be manually re-configured when the root key changes. When that happens (not IF, it will happen someday) users who have the old configuration will no longer be able to validate. The other reason I don't want to do it in the base is that one open source OS vendor has already been burned by doing something similar, and I don't want to repeat that mistake. What I do plan to do (and hopefully before the upcoming release) is to make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that users can enable and disable it easily, have a very easy way of being notified of changes, doing the updates, etc. It's also worth pointing out that BIND 9.7 and up support RFC 5011 rollover of the root key, which ICANN is going to perform, which means that people with "old" root keys in their configurations will be much more resilient. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/