Results of BIND RFC

Robert Watson rwatson at FreeBSD.org
Fri Apr 2 10:52:21 UTC 2010


On Fri, 2 Apr 2010, Poul-Henning Kamp wrote:

> The result of the RFC was that bind is not a mandatory component to make "a 
> usable system", so you argument suffers from bad logic.

With an eye on the date of Doug's suggestive e-mail, I actually am concerned 
that we maintain support for DNSSEC validation in the base system.  If this 
can be accomplished by keeping DNS debugging tools and the lightweight 
resolver in the base, then I'm fine with that world view.  However, if we 
can't do DNSSEC record validation without installing the BIND package, then 
that worries me.

As we go forward, DNSSEC is going to become increasingly important, and being 
unable to bootstrap a system will be a problem, and it will become an 
increasingly critical part of the security bootstrap process for networked 
systems.  While some DNSSEC folk consider it anathema ("DNS is not a directory 
service!"), the ability to securely distribute keying material via an existing 
network service has enourmous value: for example, early DNSSEC prototypes in 
the late 1990's/early 2000's included SSH key distribution via cert records in 
DNSSEC.  Similarly, as proposals to tie DHCP security and mobility security to 
DNSSEC expand, any decision to require a package to do DNSSEC would mean any 
component depending on that also has to be outside our base.

If all requirements along these lines are met by the lightweight resolver, 
then this is less of a concern.

Robert


More information about the freebsd-stable mailing list