[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

Phil Regnauld regnauld at nsrc.org
Mon Feb 8 10:40:52 UTC 2010 

João Damas (joao) writes:
> 
> The Fedora packages are acting as proxies for information they don't really care about

    That is a very pertinent observation.

> and without a mechanism for the original source to inform the consumer.

    Policy considerations aside:

    a) what policies exist in the OS distribution regarding "perishable"
       data (maintenance, update), and what, if any, measures are implemented
       to mitigate problems ?

    b) may the maintainer of the package take this decision alone ?
       
    ... the proper way to do this would be to split the keys/anchors out into
    a separate file included from the main configuration, have that include
    file as a separate package, and have automated updates refresh them as
    needed -- the last point being a dialog in the installation ("would you
    like to enable DLV/trust anchor package XYZ ? If so please note a cron
    entry will be enabled reminding you when new keys are available, or enable
    automated updates [...]").

    Next step is how to communicate these suggestions out to the various
    security and/or core teams of each distribution.

    Or, we don't care, and we sign the root (cf. Randy).

    Oh, wait, we DO need to update the root key once in a while!

    Reread from top ;)

> further down the > tree an even smaller part of the tree is signed, and of
> that only a > small percentage has been able to link it's data to the parent zone.

    Yes.  But I do agree that a signed root is hard to ignore as an incentive.

> Perhaps it could use a mechanism where a consumer could check that the real
> source had been the one introducing the data, that there is a record
> of the checks applied, rather than having to rely on a third party to
> tell you they did (perhaps this is where, right now, the delegation of
> trust to the DLV operators conveys some sense of authority).

    There are multiple options indeed.  Agreed.

> Overall, for duration of this period where the secure DNS tree is
> highly fragmented, DLV does make a lot of sense. This does not
> contradict the fact that a signed root is a significant step forward
> and a very welcome one and, in this context, I will always trust
> something I can trace from the root down more than something I get
> from a third party.

    Isn't it how DLV works anyways ?

    Cheers,
    Phil

More information about the dns-operations mailing list