Replacing BIND with unbound (Was: Re: Pull in upstream before
9.1 code freeze?)
Darren Pilgrim
list_freebsd at bluerosetech.com
Sun Jul 8 12:58:36 UTC 2012
On 2012-07-08 02:31, Doug Barton wrote:
> On 07/07/2012 17:47, Darren Pilgrim wrote:
>> On 2012-07-07 16:45, Doug Barton wrote:
>>> Also re DNSSEC integration in the base, I've stated before that I
>>> believe very strongly that any kind of hard-coding of trust anchors as
>>> part of the base resolver setup is a bad idea, and should not be done.
>>> We need to leverage the ports system for this so that we don't get stuck
>>> with a scenario where we have stale stuff in the base that is hard for
>>> users to upgrade.
>>
>> Considering the current root update cert bundle has a 20-year root CA
>> and 5-year DNSSEC and email CAs,
>
> Neither of which has any relevance to the actual root zone ZSK, which
> could require an emergency roll tomorrow.
Emergency root key change is handled by just running unbound-anchor
again and have it download the new ZSK. The only thing it can't do is
retrieve the root cert chain--it either uses the compiled-in copy or a
PEM file passed with the -c flag.
Am I missing something in that process?
More information about the freebsd-security
mailing list