Replacing BIND with unbound (Was: Re: Pull in upstream before
9.1 code freeze?)
Darren Pilgrim
list_freebsd at bluerosetech.com
Sun Jul 8 00:48:48 UTC 2012
On 2012-07-07 16:45, Doug Barton wrote:
> Also re DNSSEC integration in the base, I've stated before that I
> believe very strongly that any kind of hard-coding of trust anchors as
> part of the base resolver setup is a bad idea, and should not be done.
> We need to leverage the ports system for this so that we don't get stuck
> with a scenario where we have stale stuff in the base that is hard for
> users to upgrade.
Considering the current root update cert bundle has a 20-year root CA
and 5-year DNSSEC and email CAs, I don't think it's unreasonable to
maintain a copy of icannbundle.pem in the source tree or simply rely on
the copy built into unbound-anchor.
More information about the freebsd-hackers
mailing list