Date: Mon, 9 Jul 2012 05:49:32 +0100 From: Matt Dawson <matt@chronos.org.uk> To: freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) Message-ID: <201207090449.q694nW9C094754@chronos.org.uk> In-Reply-To: <20473.50867.199081.295841@hergotha.csail.mit.edu> References: <CA%2BQLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com> <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> <20473.50867.199081.295841@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Jul 2012 13:43:15 -0400 Garrett Wollman <wollman@bimajority.org> wrote: > Surely that's why there's a separate KSK. The ZSK can be rolled at > any time. FSVO "any" with a mind to propagation. The KSK is your secure entry point hence, if it is compromised, the tentacles come out if it's included in base by default. Resolver admins need to be aware that these are variables and not constants. Including things like this in base make it look as if it's carved in stone. Doug's point is well made. TBH, even having the root zone in base is a bit daft. -- Matt Dawson MTD15-RIPE GW0VNR
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207090449.q694nW9C094754>