Replacing BIND with unbound (Was: Re: Pull in upstream before
9.1 code freeze?)
Matt Dawson
matt at chronos.org.uk
Mon Jul 9 04:49:38 UTC 2012
On Sun, 8 Jul 2012 13:43:15 -0400
Garrett Wollman <wollman at bimajority.org> wrote:
> Surely that's why there's a separate KSK. The ZSK can be rolled at
> any time.
FSVO "any" with a mind to propagation.
The KSK is your secure entry point hence, if it is compromised, the
tentacles come out if it's included in base by default. Resolver admins
need to be aware that these are variables and not constants. Including
things like this in base make it look as if it's carved in stone. Doug's
point is well made. TBH, even having the root zone in base is a bit
daft.
--
Matt Dawson
MTD15-RIPE
GW0VNR
More information about the freebsd-security
mailing list