From owner-freebsd-security@FreeBSD.ORG  Mon Jul  9 04:49:37 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E45A4106566C
	for <freebsd-security@freebsd.org>;
	Mon,  9 Jul 2012 04:49:37 +0000 (UTC)
	(envelope-from matt@chronos.org.uk)
Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net
	[IPv6:2001:470:1f08:12b::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 3412F8FC0A
	for <freebsd-security@freebsd.org>;
	Mon,  9 Jul 2012 04:49:36 +0000 (UTC)
Received: from workstation1.local.chronos.org.uk
	(workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20])
	(authenticated bits=0)
	by chronos.org.uk (8.14.5/8.14.5) with ESMTP id q694nW9C094754
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
	for <freebsd-security@freebsd.org>; Mon, 9 Jul 2012 05:49:33 +0100 (BST)
	(envelope-from matt@chronos.org.uk)
X-DKIM: OpenDKIM Filter v2.5.2 chronos.org.uk q694nW9C094754
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk;
	s=mail; t=1341809373;
	bh=6FRoIIE7gbojGl+o6c6CwKW/eltqQVbe7GTMAJiJr8M=;
	h=Date:From:To:Subject:In-Reply-To:References;
	b=gCndW2ewU23t0C5O3bDHD9N02SbzJhe5qgF8TL8s+9EeqmBeWbg5y4ahhfAhirssC
	UDUYiJGfNiYJcGo26NnRHEX0q6wdT7wL8vUlcyuMAbmGdWeizqJLB7BJjEc3AswdAE
	+HWBnqBetifnF6sNAECJHiMoeFo4ir1E4PxPH0og=
Message-Id: <201207090449.q694nW9C094754@chronos.org.uk>
Date: Mon, 9 Jul 2012 05:49:32 +0100
From: Matt Dawson <matt@chronos.org.uk>
To: freebsd-security@freebsd.org
In-Reply-To: <20473.50867.199081.295841@hergotha.csail.mit.edu>
References: <CA+QLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com>
	<4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no>
	<89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net>
	<4FF8C3A1.9080805@FreeBSD.org>
	<0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net>
	<4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com>
	<4FF95365.7010605@FreeBSD.org>
	<20473.50867.199081.295841@hergotha.csail.mit.edu>
X-Face: ZC(F49t2uSJE}/7#!TBN:A\3:0wCZNx7YbLr6|9~$^!V&Q,
	q&]T:H>?\|ZZUt:{]iKK'f.(
	g-{z6!F@Wt#^bC-X8J4ZW2}RKBA"ak_zQMGw\YT"R%aL+?k<tX}2>k_mnXchE8VSy^<7I5]Z@p/\B.
	h"4xoqXS)n^eTJL4BeAz1&b`_Jwb\s3M626%1{X4s>A>56]Sn$b0nRFhfrTk]]Njd|!O
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(chronos.org.uk [IPv6:2001:470:1f09:12b::1]);
	Mon, 09 Jul 2012 05:49:33 +0100 (BST)
X-Spam-Status: No, score=-99.5 required=3.0 tests=BAYES_00,
	DATE_IN_FUTURE_24_48, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU,
	MISSING_MID, SPF_PASS, T_RP_MATCHES_RCVD,
	USER_IN_WHITELIST autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	central.local.chronos.org.uk
Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before
 9.1 code freeze?)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 04:49:38 -0000

On Sun, 8 Jul 2012 13:43:15 -0400
Garrett Wollman <wollman@bimajority.org> wrote:

> Surely that's why there's a separate KSK.  The ZSK can be rolled at
> any time.

FSVO "any" with a mind to propagation. 

The KSK is your secure entry point hence, if it is compromised, the
tentacles come out if it's included in base by default. Resolver admins
need to be aware that these are variables and not constants. Including
things like this in base make it look as if it's carved in stone. Doug's
point is well made. TBH, even having the root zone in base is a bit
daft.
-- 
Matt Dawson
MTD15-RIPE
GW0VNR