Date: Mon, 20 Dec 2010 09:55:23 +1100 From: Mark Andrews <marka@isc.org> To: Doug Barton <dougb@FreeBSD.org> Cc: stable@freebsd.org, Garrett Wollman <wollman@hergotha.csail.mit.edu> Subject: Re: Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x) Message-ID: <20101219225523.8EF718088AD@drugs.dv.isc.org> In-Reply-To: Your message of "Sat, 18 Dec 2010 15:15:22 -0800." <4D0D408A.2020802@FreeBSD.org> References: <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu><4D0D408A.2020802@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <4D0D408A.2020802@FreeBSD.org>, Doug Barton writes: > On 12/18/2010 09:16, Garrett Wollman wrote: > > In article<4D0C49A2.4000203@FreeBSD.org>, dougb@freebsd.org writes: > > > >> In order to avoid repeating the scenario where we have a version of BIND > >> in the base that is not supported by the vendor I am proposing that we > >> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. > > > > +1 > > > > All users are going to want working DNSsec soon, if they don't > > already, and that requires 9.6. (In fact, we should start shipping > > with DNSsec enabled by default and the root key pre-configured, if we > > aren't already doing so.) > > I'm not planning to do that in the base for a couple of reasons. The > primary one being that the way BIND 9.6 handles the root key it would > have to be manually re-configured when the root key changes. When that > happens (not IF, it will happen someday) users who have the old > configuration will no longer be able to validate. The other reason I > don't want to do it in the base is that one open source OS vendor has > already been burned by doing something similar, and I don't want to > repeat that mistake. They also failed to put into place procedures to track the trust anchors as they change. OS vendors are in a much better place to do this than nameserver vendors. > What I do plan to do (and hopefully before the upcoming release) is to > make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that > users can enable and disable it easily, have a very easy way of being > notified of changes, doing the updates, etc. It's also worth pointing > out that BIND 9.7 and up support RFC 5011 rollover of the root key, > which ICANN is going to perform, which means that people with "old" root > keys in their configurations will be much more resilient. There is still a boot stap issue to be addressed. BIND 9.6 and BIND 9.7 has /etc/bind.keys which needs to be updated as the keys referenced there change. This is just a reference file in BIND 9.6. > hth, > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101219225523.8EF718088AD>