Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to
BIND 9.6.x)
Doug Barton
dougb at FreeBSD.org
Sat Dec 18 23:15:25 UTC 2010
On 12/18/2010 09:16, Garrett Wollman wrote:
> In article<4D0C49A2.4000203 at FreeBSD.org>, dougb at freebsd.org writes:
>
>> In order to avoid repeating the scenario where we have a version of BIND
>> in the base that is not supported by the vendor I am proposing that we
>> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
>
> +1
>
> All users are going to want working DNSsec soon, if they don't
> already, and that requires 9.6. (In fact, we should start shipping
> with DNSsec enabled by default and the root key pre-configured, if we
> aren't already doing so.)
I'm not planning to do that in the base for a couple of reasons. The
primary one being that the way BIND 9.6 handles the root key it would
have to be manually re-configured when the root key changes. When that
happens (not IF, it will happen someday) users who have the old
configuration will no longer be able to validate. The other reason I
don't want to do it in the base is that one open source OS vendor has
already been burned by doing something similar, and I don't want to
repeat that mistake.
What I do plan to do (and hopefully before the upcoming release) is to
make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that
users can enable and disable it easily, have a very easy way of being
notified of changes, doing the updates, etc. It's also worth pointing
out that BIND 9.7 and up support RFC 5011 rollover of the root key,
which ICANN is going to perform, which means that people with "old" root
keys in their configurations will be much more resilient.
hth,
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the freebsd-stable
mailing list