At 3:05 PM -0400 4/22/09, Paul Wouters wrote: >If an OS ships with preloaded trust anchors, and the medium is >used over a year after it was created, eg an old CD/DVD copy, it >might cause DNS to complete fail due to loading rolled over >trust anchors. This DNS failure will prevent it from obtaining >an updated trust anchor update if those reside within one of these >zones. > >The question is what to do, or what to recommend. For Fedora/EPEL, >I'm leaning towards automatically disabling all trust anchors (which >includes DLV) if the package build date is older then 9 months. At >the same time, we will commit to releasing at least a new package >every 6 months, even if no changes were made and we are just bumping >the release number. Upon package update, the resolver is restarted >and the same check that disabled the trust anchors before will now >accept the new package date, and enable trust anchors again. > >It might make sense to add a warning about this issue in the RFC?
Yes. For example, Ubuntu server "long term stable" releases are only put out every few years. If you pick one of them, you start off with an old image, then *hopefully* update as soon as you install. But, if you just turn on some services, this will be a problem that is quite different than the typical "but you might be running unsafe binaries". --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
