[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Florian Weimer
fweimer at redhat.com
Mon Jun 6 09:20:49 UTC 2016
On 06/05/2016 08:31 PM, Paul Wouters wrote:
> On Fri, 3 Jun 2016, Jan Včelak wrote:
>
>> I don't think this is necessarily a negative score point for systemd.
>>
>> I already trust my Linux distribution in what they are shipping. I don't
>> mind whether it is a list of certification authorities or trust anchor
>> for DNSSEC. For me, the trust point is the distribution signing key. And
>> the package I can audit. I don't really fancy some software pulling in
>> another trust anchor.
>
> If your machine is offline for the months during with a KSK rollover
> happens, can you get online with enough DNS to update your OS to get
> an updated trust anchor?
I still don't understand this.
Why would you do a KSK rollover if they key isn't compromised? And if
the KSK *is* compromised, you don't want to perform an automated update.
Florian
More information about the dns-operations
mailing list