Re: Replacing BIND with unbound (Was: Re: Pull in upstream befor
On 07/07/2012 17:47, Darren Pilgrim wrote:
> On 2012-07-07 16:45, Doug Barton wrote:
>> Also re DNSSEC integration in the base, I've stated before that I
>> believe very strongly that any kind of hard-coding of trust anchors as
>> part of the base resolver setup is a bad idea, and should not be done.
>> We need to leverage the ports system for this so that we don't get stuck
>> with a scenario where we have stale stuff in the base that is hard for
>> users to upgrade.
>
> Considering the current root update cert bundle has a 20-year root CA
> and 5-year DNSSEC and email CAs,
Neither of which has any relevance to the actual root zone ZSK, which
could require an emergency roll tomorrow.
> I don't think it's unreasonable to
> maintain a copy of icannbundle.pem in the source tree
Again, that has nothing to do with the actual ZSK, other than providing
a way to validate the *existing* one. That's not the issue, at all.
--
This .signature sanitized for your protection
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 18 篇):