Re: Replacing BIND with unbound (Was: Re: Pull in upstream befor

On 2012-07-08 02:31, Doug Barton wrote:
> On 07/07/2012 17:47, Darren Pilgrim wrote:
>> On 2012-07-07 16:45, Doug Barton wrote:
>>> Also re DNSSEC integration in the base, I've stated before that I
>>> believe very strongly that any kind of hard-coding of trust anchors as
>>> part of the base resolver setup is a bad idea, and should not be done.
>>> We need to leverage the ports system for this so that we don't get stuck
>>> with a scenario where we have stale stuff in the base that is hard for
>>> users to upgrade.
>>
>> Considering the current root update cert bundle has a 20-year root CA
>> and 5-year DNSSEC and email CAs,
>
> Neither of which has any relevance to the actual root zone ZSK, which
> could require an emergency roll tomorrow.

Emergency root key change is handled by just running unbound-anchor 
again and have it download the new ZSK.  The only thing it can't do is 
retrieve the root cert chain--it either uses the compiled-in copy or a 
PEM file passed with the -c flag.

Am I missing something in that process?
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"