From owner-freebsd-net@freebsd.org Mon Nov 13 21:07:56 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2B46DD5D16 for ; Mon, 13 Nov 2017 21:07:56 +0000 (UTC) (envelope-from freebsd@dukhovni.org) Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 900717E3FC for ; Mon, 13 Nov 2017 21:07:56 +0000 (UTC) (envelope-from freebsd@dukhovni.org) Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id D6A8B7A3309 for ; Mon, 13 Nov 2017 21:07:54 +0000 (UTC) (envelope-from freebsd@dukhovni.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\)) Subject: Re: chroot implementation of bind and kea From: Viktor Dukhovni In-Reply-To: <5A0A084C.2000703@quip.cz> Date: Mon, 13 Nov 2017 16:07:35 -0500 Content-Transfer-Encoding: 7bit Reply-To: freebsd-net@freebsd.org Message-Id: References: <5A0A084C.2000703@quip.cz> To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.3445.4.7) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2017 21:07:56 -0000 > On Nov 13, 2017, at 4:02 PM, Miroslav Lachman <000.fbsd@quip.cz> wrote: > > I think keys can be updated by updating the port or by some dedicated > periodic script. It seems safer to me. In theory it may be safer. In practice, it tends to not happen in a timely manner, leading to outages. Automated RFC 5011 key rollover is a necessity. The package needs to support it by default. -- Viktor.