Results of BIND RFC
Robert Watson
rwatson at FreeBSD.org
Fri Apr 2 10:52:21 UTC 2010
On Fri, 2 Apr 2010, Poul-Henning Kamp wrote:
> The result of the RFC was that bind is not a mandatory component to make "a
> usable system", so you argument suffers from bad logic.
With an eye on the date of Doug's suggestive e-mail, I actually am concerned
that we maintain support for DNSSEC validation in the base system. If this
can be accomplished by keeping DNS debugging tools and the lightweight
resolver in the base, then I'm fine with that world view. However, if we
can't do DNSSEC record validation without installing the BIND package, then
that worries me.
As we go forward, DNSSEC is going to become increasingly important, and being
unable to bootstrap a system will be a problem, and it will become an
increasingly critical part of the security bootstrap process for networked
systems. While some DNSSEC folk consider it anathema ("DNS is not a directory
service!"), the ability to securely distribute keying material via an existing
network service has enourmous value: for example, early DNSSEC prototypes in
the late 1990's/early 2000's included SSH key distribution via cert records in
DNSSEC. Similarly, as proposals to tie DHCP security and mobility security to
DNSSEC expand, any decision to require a package to do DNSSEC would mean any
component depending on that also has to be outside our base.
If all requirements along these lines are met by the lightweight resolver,
then this is less of a concern.
Robert
More information about the freebsd-stable
mailing list