Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 08 Jul 2012 05:58:32 -0700
From:      Darren Pilgrim <list_freebsd@bluerosetech.com>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        freebsd-security@freebsd.org, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?)
Message-ID:  <4FF983F8.5070006@bluerosetech.com>
In-Reply-To: <4FF95365.7010605@FreeBSD.org>
References:  <CA%2BQLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com> <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2012-07-08 02:31, Doug Barton wrote:
> On 07/07/2012 17:47, Darren Pilgrim wrote:
>> On 2012-07-07 16:45, Doug Barton wrote:
>>> Also re DNSSEC integration in the base, I've stated before that I
>>> believe very strongly that any kind of hard-coding of trust anchors as
>>> part of the base resolver setup is a bad idea, and should not be done.
>>> We need to leverage the ports system for this so that we don't get stuck
>>> with a scenario where we have stale stuff in the base that is hard for
>>> users to upgrade.
>>
>> Considering the current root update cert bundle has a 20-year root CA
>> and 5-year DNSSEC and email CAs,
>
> Neither of which has any relevance to the actual root zone ZSK, which
> could require an emergency roll tomorrow.

Emergency root key change is handled by just running unbound-anchor 
again and have it download the new ZSK.  The only thing it can't do is 
retrieve the root cert chain--it either uses the compiled-in copy or a 
PEM file passed with the -c flag.

Am I missing something in that process?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF983F8.5070006>