[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Paul Wouters paul at nohats.ca
Sun Jun 5 18:31:21 UTC 2016


On Fri, 3 Jun 2016, Jan Včelak wrote:

> I don't think this is necessarily a negative score point for systemd.
>
> I already trust my Linux distribution in what they are shipping. I don't
> mind whether it is a list of certification authorities or trust anchor
> for DNSSEC. For me, the trust point is the distribution signing key. And
> the package I can audit. I don't really fancy some software pulling in
> another trust anchor.

If your machine is offline for the months during with a KSK rollover
happens, can you get online with enough DNS to update your OS to get
an updated trust anchor?

It seems systemd just dropped that as a use case they are willing to
handle. Which in general was my problem when I met the systemd people
to talk about this. My use cases were simply ignored as not relevant.

Paul



More information about the dns-operations mailing list