From owner-freebsd-stable@FreeBSD.ORG Sun Dec 19 22:55:43 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74C4C106564A; Sun, 19 Dec 2010 22:55:43 +0000 (UTC) (envelope-from marka@isc.org) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by mx1.freebsd.org (Postfix) with ESMTP id 28F2F8FC0C; Sun, 19 Dec 2010 22:55:43 +0000 (UTC) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id E54145F98ED; Sun, 19 Dec 2010 22:55:27 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id D2812E605D; Sun, 19 Dec 2010 22:55:25 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 8EF718088AD; Mon, 20 Dec 2010 09:55:23 +1100 (EST) To: Doug Barton From: Mark Andrews References: <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu><4D0D408A.2020802@FreeBSD.org> In-reply-to: Your message of "Sat, 18 Dec 2010 15:15:22 -0800." <4D0D408A.2020802@FreeBSD.org> Date: Mon, 20 Dec 2010 09:55:23 +1100 Message-Id: <20101219225523.8EF718088AD@drugs.dv.isc.org> X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org Cc: stable@freebsd.org, Garrett Wollman Subject: Re: Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2010 22:55:43 -0000 In message <4D0D408A.2020802@FreeBSD.org>, Doug Barton writes: > On 12/18/2010 09:16, Garrett Wollman wrote: > > In article<4D0C49A2.4000203@FreeBSD.org>, dougb@freebsd.org writes: > > > >> In order to avoid repeating the scenario where we have a version of BIND > >> in the base that is not supported by the vendor I am proposing that we > >> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. > > > > +1 > > > > All users are going to want working DNSsec soon, if they don't > > already, and that requires 9.6. (In fact, we should start shipping > > with DNSsec enabled by default and the root key pre-configured, if we > > aren't already doing so.) > > I'm not planning to do that in the base for a couple of reasons. The > primary one being that the way BIND 9.6 handles the root key it would > have to be manually re-configured when the root key changes. When that > happens (not IF, it will happen someday) users who have the old > configuration will no longer be able to validate. The other reason I > don't want to do it in the base is that one open source OS vendor has > already been burned by doing something similar, and I don't want to > repeat that mistake. They also failed to put into place procedures to track the trust anchors as they change. OS vendors are in a much better place to do this than nameserver vendors. > What I do plan to do (and hopefully before the upcoming release) is to > make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that > users can enable and disable it easily, have a very easy way of being > notified of changes, doing the updates, etc. It's also worth pointing > out that BIND 9.7 and up support RFC 5011 rollover of the root key, > which ICANN is going to perform, which means that people with "old" root > keys in their configurations will be much more resilient. There is still a boot stap issue to be addressed. BIND 9.6 and BIND 9.7 has /etc/bind.keys which needs to be updated as the keys referenced there change. This is just a reference file in BIND 9.6. > hth, > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org