[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Florian Weimer fweimer at redhat.com
Mon Jun 6 09:20:49 UTC 2016


On 06/05/2016 08:31 PM, Paul Wouters wrote:
> On Fri, 3 Jun 2016, Jan Včelak wrote:
>
>> I don't think this is necessarily a negative score point for systemd.
>>
>> I already trust my Linux distribution in what they are shipping. I don't
>> mind whether it is a list of certification authorities or trust anchor
>> for DNSSEC. For me, the trust point is the distribution signing key. And
>> the package I can audit. I don't really fancy some software pulling in
>> another trust anchor.
>
> If your machine is offline for the months during with a KSK rollover
> happens, can you get online with enough DNS to update your OS to get
> an updated trust anchor?

I still don't understand this.

Why would you do a KSK rollover if they key isn't compromised?  And if 
the KSK *is* compromised, you don't want to perform an automated update.

Florian



More information about the dns-operations mailing list