From owner-freebsd-stable@FreeBSD.ORG  Sun Dec 19 22:55:43 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 74C4C106564A;
	Sun, 19 Dec 2010 22:55:43 +0000 (UTC) (envelope-from marka@isc.org)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65])
	by mx1.freebsd.org (Postfix) with ESMTP id 28F2F8FC0C;
	Sun, 19 Dec 2010 22:55:43 +0000 (UTC)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "farside.isc.org", Issuer "ISC CA" (verified OK))
	by mx.ams1.isc.org (Postfix) with ESMTPS id E54145F98ED;
	Sun, 19 Dec 2010 22:55:27 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org
	[IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by farside.isc.org (Postfix) with ESMTP id D2812E605D;
	Sun, 19 Dec 2010 22:55:25 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (Postfix) with ESMTP id 8EF718088AD;
	Mon, 20 Dec 2010 09:55:23 +1100 (EST)
To: Doug Barton <dougb@FreeBSD.org>
From: Mark Andrews <marka@isc.org>
References: <201012181716.oBIHGS3m099731@hergotha.csail.mit.edu><4D0D408A.2020802@FreeBSD.org>
In-reply-to: Your message of "Sat, 18 Dec 2010 15:15:22 -0800."
	<4D0D408A.2020802@FreeBSD.org>
Date: Mon, 20 Dec 2010 09:55:23 +1100
Message-Id: <20101219225523.8EF718088AD@drugs.dv.isc.org>
X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org
Cc: stable@freebsd.org, Garrett Wollman <wollman@hergotha.csail.mit.edu>
Subject: Re: Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7
	to BIND 9.6.x)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Dec 2010 22:55:43 -0000


In message <4D0D408A.2020802@FreeBSD.org>, Doug Barton writes:
> On 12/18/2010 09:16, Garrett Wollman wrote:
> > In article<4D0C49A2.4000203@FreeBSD.org>, dougb@freebsd.org writes:
> >
> >> In order to avoid repeating the scenario where we have a version of BIND
> >> in the base that is not supported by the vendor I am proposing that we
> >> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
> >
> > +1
> >
> > All users are going to want working DNSsec soon, if they don't
> > already, and that requires 9.6.  (In fact, we should start shipping
> > with DNSsec enabled by default and the root key pre-configured, if we
> > aren't already doing so.)
> 
> I'm not planning to do that in the base for a couple of reasons. The 
> primary one being that the way BIND 9.6 handles the root key it would 
> have to be manually re-configured when the root key changes. When that 
> happens (not IF, it will happen someday) users who have the old 
> configuration will no longer be able to validate. The other reason I 
> don't want to do it in the base is that one open source OS vendor has 
> already been burned by doing something similar, and I don't want to 
> repeat that mistake.

They also failed to put into place procedures to track the trust
anchors as they change.  OS vendors are in a much better place to
do this than nameserver vendors.  

> What I do plan to do (and hopefully before the upcoming release) is to 
> make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that 
> users can enable and disable it easily, have a very easy way of being 
> notified of changes, doing the updates, etc. It's also worth pointing 
> out that BIND 9.7 and up support RFC 5011 rollover of the root key, 
> which ICANN is going to perform, which means that people with "old" root 
> keys in their configurations will be much more resilient.

There is still a boot stap issue to be addressed.

BIND 9.6 and BIND 9.7 has /etc/bind.keys which needs to be updated as the
keys referenced there change.  This is just a reference file in BIND 9.6.
 
> hth,
> 
> Doug
> 
> -- 
> 
> 	Nothin' ever doesn't change, but nothin' changes much.
> 			-- OK Go
> 
> 	Breadth of IT experience, and depth of knowledge in the DNS.
> 	Yours for the right price.  :)  http://SupersetSolutions.com/
> 
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org