From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 12:58:36 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A01D1065670; Sun, 8 Jul 2012 12:58:36 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from rush.bluerosetech.com (rush.bluerosetech.com [IPv6:2607:fc50:1000:9b00::25]) by mx1.freebsd.org (Postfix) with ESMTP id 5E35A8FC15; Sun, 8 Jul 2012 12:58:36 +0000 (UTC) Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [IPv6:2610:10:20:214::6]) by rush.bluerosetech.com (Postfix) with ESMTPSA id 2288311437; Sun, 8 Jul 2012 05:58:35 -0700 (PDT) Received: from [IPv6:2001:470:8643:970:d8c4:f522:d6a8:ec14] (unknown [IPv6:2001:470:8643:970:d8c4:f522:d6a8:ec14]) by vivi.cat.pdx.edu (Postfix) with ESMTPSA id 9E36824D87; Sun, 8 Jul 2012 05:58:33 -0700 (PDT) Message-ID: <4FF983F8.5070006@bluerosetech.com> Date: Sun, 08 Jul 2012 05:58:32 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4 MIME-Version: 1.0 To: Doug Barton References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> In-Reply-To: <4FF95365.7010605@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 12:58:36 -0000 On 2012-07-08 02:31, Doug Barton wrote: > On 07/07/2012 17:47, Darren Pilgrim wrote: >> On 2012-07-07 16:45, Doug Barton wrote: >>> Also re DNSSEC integration in the base, I've stated before that I >>> believe very strongly that any kind of hard-coding of trust anchors as >>> part of the base resolver setup is a bad idea, and should not be done. >>> We need to leverage the ports system for this so that we don't get stuck >>> with a scenario where we have stale stuff in the base that is hard for >>> users to upgrade. >> >> Considering the current root update cert bundle has a 20-year root CA >> and 5-year DNSSEC and email CAs, > > Neither of which has any relevance to the actual root zone ZSK, which > could require an emergency roll tomorrow. Emergency root key change is handled by just running unbound-anchor again and have it download the new ZSK. The only thing it can't do is retrieve the root cert chain--it either uses the compiled-in copy or a PEM file passed with the -c flag. Am I missing something in that process?