[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

Doug Barton dougb at dougbarton.us
Sun Feb 7 23:50:33 UTC 2010

On 02/07/10 13:02, Stephane Bortzmeyer wrote:
> On Fri, Feb 05, 2010 at 09:46:22AM -0800,
>   Randy Bush<randy at psg.com>  wrote
>   a message of 15 lines which said:
>> what a great lesson
> Like Shane said, yes, but which lesson? For me, it means you should
> not put trust anchors in binary packages, unless there is an automatic
> update mechanism (is it the case with RedHat?).

FWIW I had already come to the same conclusion in regards to my work on 
BIND in FreeBSD. I started to think of ways to include trust anchors, 
either in the base or in ports, and the number of different ways that 
this could break started giving me a massive headache, so I stopped 
(thinking about it that is).

There are ways that I could conceivably add trust anchors in a 
relatively safe manner through the ports, but that presupposes that the 
user/admin would have the ports tree installed on their name server 
system, keep it up to date, regularly check for packages that need 
updating, etc. etc. None of these are completely safe assumptions.

In the end my conclusion was that anyone sufficiently interested in 
configuring DNSSEC for their systems "should" be willing to put the 
effort in to make it happen on their own. I may revisit this after the 
root is signed-for-production (and I'm certainly open to opinions on 
this topic).



	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

More information about the dns-operations mailing list