[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

Randy Bush randy at psg.com
Sun Feb 7 19:14:37 UTC 2010

>>> We have discovered that recent versions of the Fedora Linux distribution
>>> are shipping with a package called "dnssec-conf", which contains the
>>> RIPE NCC's DNSSEC trust anchors. This package is installed by default as
>>> a dependency of BIND, and it configures BIND to do DNSSEC validation.
>>> Unfortunately, the current version of this package (1.21) is outdated
>>> and contains old trust anchors.
>> what a great lesson
> I agree... but what is it? :)
> Sure, one lesson is "trust is tricky". Perhaps another is "get your
> trust as close to the source as possible", although that's doesn't
> always help.
> I am wondering if we can also take something here to the reoccurring
> debate about the utility of regular KSK rollovers.
> In that debate, one argument is that since there is no cryptological
> motivation for a KSK rollover, that these should be done only when the
> KSK is possibly compromised. The other argument is that we need to do
> regular rollovers so that when an emergency rollover is necessary it
> will work.
> This strikes me as indicating that even with regular rollovers, things
> will still break. Which kind of supports the idea of rolling over only
> in emergency, doesn't it? At least in that case you *might* never have
> to go through the pain of making some domains go dark for some users....

also that having 42 trust anchors with unknown and/or varying policies
is a recipe for trouble.  sign the root, one will be bad enough.


More information about the dns-operations mailing list