[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

Shane Kerr shane at isc.org
Sun Feb 7 15:31:57 UTC 2010


Randy,

On Fri, 2010-02-05 at 09:46 -0800, Randy Bush wrote:
> > We have discovered that recent versions of the Fedora Linux distribution
> > are shipping with a package called "dnssec-conf", which contains the
> > RIPE NCC's DNSSEC trust anchors. This package is installed by default as
> > a dependency of BIND, and it configures BIND to do DNSSEC validation.
> > 
> > Unfortunately, the current version of this package (1.21) is outdated
> > and contains old trust anchors.
> 
> what a great lesson

I agree... but what is it? :)

Sure, one lesson is "trust is tricky". Perhaps another is "get your
trust as close to the source as possible", although that's doesn't
always help.

I am wondering if we can also take something here to the reoccurring
debate about the utility of regular KSK rollovers.

In that debate, one argument is that since there is no cryptological
motivation for a KSK rollover, that these should be done only when the
KSK is possibly compromised. The other argument is that we need to do
regular rollovers so that when an emergency rollover is necessary it
will work.

This strikes me as indicating that even with regular rollovers, things
will still break. Which kind of supports the idea of rolling over only
in emergency, doesn't it? At least in that case you *might* never have
to go through the pain of making some domains go dark for some users....

--
Shane




More information about the dns-operations mailing list