From owner-freebsd-security@FreeBSD.ORG  Sun Jul  8 00:48:48 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 31323106566C;
	Sun,  8 Jul 2012 00:48:48 +0000 (UTC)
	(envelope-from list_freebsd@bluerosetech.com)
Received: from rush.bluerosetech.com (rush.bluerosetech.com
	[IPv6:2607:fc50:1000:9b00::25])
	by mx1.freebsd.org (Postfix) with ESMTP id 05EF88FC12;
	Sun,  8 Jul 2012 00:48:48 +0000 (UTC)
Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [131.252.214.6])
	by rush.bluerosetech.com (Postfix) with ESMTPSA id E98F711437;
	Sat,  7 Jul 2012 17:48:40 -0700 (PDT)
Received: from [IPv6:2001:470:8643:970:39f4:367d:dc6b:4e95] (unknown
	[IPv6:2001:470:8643:970:39f4:367d:dc6b:4e95])
	by vivi.cat.pdx.edu (Postfix) with ESMTPSA id CD15B24CA6;
	Sat,  7 Jul 2012 17:48:39 -0700 (PDT)
Message-ID: <4FF8D8E7.5060409@bluerosetech.com>
Date: Sat, 07 Jul 2012 17:48:39 -0700
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4
MIME-Version: 1.0
To: Doug Barton <dougb@FreeBSD.org>
References: <CA+QLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com>
	<4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no>
	<89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net>
	<4FF8C3A1.9080805@FreeBSD.org>
	<0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net>
	<4FF8CA35.7040209@FreeBSD.org>
In-Reply-To: <4FF8CA35.7040209@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before
 9.1 code freeze?)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 00:48:48 -0000

On 2012-07-07 16:45, Doug Barton wrote:
> Also re DNSSEC integration in the base, I've stated before that I
> believe very strongly that any kind of hard-coding of trust anchors as
> part of the base resolver setup is a bad idea, and should not be done.
> We need to leverage the ports system for this so that we don't get stuck
> with a scenario where we have stale stuff in the base that is hard for
> users to upgrade.

Considering the current root update cert bundle has a 20-year root CA 
and 5-year DNSSEC and email CAs, I don't think it's unreasonable to 
maintain a copy of icannbundle.pem in the source tree or simply rely on 
the copy built into unbound-anchor.