On 12/18/2010 09:16, Garrett Wollman wrote:
In article<4d0c49a2.4000...@freebsd.org>, do...@freebsd.org writes:
In order to avoid repeating the scenario where we have a version of BIND
in the base that is not supported by the vendor I am proposing that we
upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
+1
All users are going to want working DNSsec soon, if they don't
already, and that requires 9.6. (In fact, we should start shipping
with DNSsec enabled by default and the root key pre-configured, if we
aren't already doing so.)
I'm not planning to do that in the base for a couple of reasons. The
primary one being that the way BIND 9.6 handles the root key it would
have to be manually re-configured when the root key changes. When that
happens (not IF, it will happen someday) users who have the old
configuration will no longer be able to validate. The other reason I
don't want to do it in the base is that one open source OS vendor has
already been burned by doing something similar, and I don't want to
repeat that mistake.
What I do plan to do (and hopefully before the upcoming release) is to
make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that
users can enable and disable it easily, have a very easy way of being
notified of changes, doing the updates, etc. It's also worth pointing
out that BIND 9.7 and up support RFC 5011 rollover of the root key,
which ICANN is going to perform, which means that people with "old" root
keys in their configurations will be much more resilient.
hth,
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
