Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7
to BIND 9.6.x)
Mark Andrews
marka at isc.org
Sun Dec 19 22:55:43 UTC 2010
In message <4D0D408A.2020802 at FreeBSD.org>, Doug Barton writes:
> On 12/18/2010 09:16, Garrett Wollman wrote:
> > In article<4D0C49A2.4000203 at FreeBSD.org>, dougb at freebsd.org writes:
> >
> >> In order to avoid repeating the scenario where we have a version of BIND
> >> in the base that is not supported by the vendor I am proposing that we
> >> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
> >
> > +1
> >
> > All users are going to want working DNSsec soon, if they don't
> > already, and that requires 9.6. (In fact, we should start shipping
> > with DNSsec enabled by default and the root key pre-configured, if we
> > aren't already doing so.)
>
> I'm not planning to do that in the base for a couple of reasons. The
> primary one being that the way BIND 9.6 handles the root key it would
> have to be manually re-configured when the root key changes. When that
> happens (not IF, it will happen someday) users who have the old
> configuration will no longer be able to validate. The other reason I
> don't want to do it in the base is that one open source OS vendor has
> already been burned by doing something similar, and I don't want to
> repeat that mistake.
They also failed to put into place procedures to track the trust
anchors as they change. OS vendors are in a much better place to
do this than nameserver vendors.
> What I do plan to do (and hopefully before the upcoming release) is to
> make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that
> users can enable and disable it easily, have a very easy way of being
> notified of changes, doing the updates, etc. It's also worth pointing
> out that BIND 9.7 and up support RFC 5011 rollover of the root key,
> which ICANN is going to perform, which means that people with "old" root
> keys in their configurations will be much more resilient.
There is still a boot stap issue to be addressed.
BIND 9.6 and BIND 9.7 has /etc/bind.keys which needs to be updated as the
keys referenced there change. This is just a reference file in BIND 9.6.
> hth,
>
> Doug
>
> --
>
> Nothin' ever doesn't change, but nothin' changes much.
> -- OK Go
>
> Breadth of IT experience, and depth of knowledge in the DNS.
> Yours for the right price. :) http://SupersetSolutions.com/
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the freebsd-stable
mailing list