From owner-freebsd-hackers@FreeBSD.ORG Sun Jul 8 09:33:29 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id DD388106566B; Sun, 8 Jul 2012 09:33:29 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 5EA501637BC; Sun, 8 Jul 2012 09:31:18 +0000 (UTC) Message-ID: <4FF95365.7010605@FreeBSD.org> Date: Sun, 08 Jul 2012 02:31:17 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Darren Pilgrim References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> In-Reply-To: <4FF8D89B.1030308@bluerosetech.com> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 09:33:30 -0000 On 07/07/2012 17:47, Darren Pilgrim wrote: > On 2012-07-07 16:45, Doug Barton wrote: >> Also re DNSSEC integration in the base, I've stated before that I >> believe very strongly that any kind of hard-coding of trust anchors as >> part of the base resolver setup is a bad idea, and should not be done. >> We need to leverage the ports system for this so that we don't get stuck >> with a scenario where we have stale stuff in the base that is hard for >> users to upgrade. > > Considering the current root update cert bundle has a 20-year root CA > and 5-year DNSSEC and email CAs, Neither of which has any relevance to the actual root zone ZSK, which could require an emergency roll tomorrow. > I don't think it's unreasonable to > maintain a copy of icannbundle.pem in the source tree Again, that has nothing to do with the actual ZSK, other than providing a way to validate the *existing* one. That's not the issue, at all. -- This .signature sanitized for your protection