[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
Doug Barton
dougb at dougbarton.us
Sun Feb 7 23:50:33 UTC 2010
On 02/07/10 13:02, Stephane Bortzmeyer wrote:
> On Fri, Feb 05, 2010 at 09:46:22AM -0800,
> Randy Bush<randy at psg.com> wrote
> a message of 15 lines which said:
>
>> what a great lesson
>
> Like Shane said, yes, but which lesson? For me, it means you should
> not put trust anchors in binary packages, unless there is an automatic
> update mechanism (is it the case with RedHat?).
FWIW I had already come to the same conclusion in regards to my work on
BIND in FreeBSD. I started to think of ways to include trust anchors,
either in the base or in ports, and the number of different ways that
this could break started giving me a massive headache, so I stopped
(thinking about it that is).
There are ways that I could conceivably add trust anchors in a
relatively safe manner through the ports, but that presupposes that the
user/admin would have the ports tree installed on their name server
system, keep it up to date, regularly check for packages that need
updating, etc. etc. None of these are completely safe assumptions.
In the end my conclusion was that anyone sufficiently interested in
configuring DNSSEC for their systems "should" be willing to put the
effort in to make it happen on their own. I may revisit this after the
root is signed-for-production (and I'm certainly open to opinions on
this topic).
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the dns-operations
mailing list