Matt Larson wrote:
Out of curiosity, what other changes have there been that deliberately invalidated a working config?
the big one was last-bind8 to first-bind9. there were also some minor ones over the years like changing the default for allow-query to be localnets rather than any. since it hasn't happened in the years i've been gone from ISC, i think we can safely assign blame and move on.
I appreciate that line of reasoning when applied to invalidating features that don't have harmful consequences if used. But in the specific case we're talking about, the circumstances matter: I suggest that it's better to have the server refuse to start with a clear syslog message to force someone to adjust a harmful config rather than have the server start but fail to resolve queries by mysteriously returning SERVFAIL to everything.
there's going to have to be a third way. if that's due to happen, we can expect the BIND9 embedders and ISC to work together to patch it in an way that disables DNSSEC validation if it recognizes some badness of some kind. running off the rails into a ditch won't be allowed to happen, for anyone whose BIND9 gets patched regularly. even if this means recognizing KSK-2010 specifically, in hard code.
At the very least, a "trusted-keys for the root KSK considered harmful" syslog message would be a hopefully easy and non-controversial first step in the right direction.
i think that's entirely reasonable, and based on BIND9's syslogging when its hints file is seen to be out of date (doesn't match priming), i think there's sufficient precedent. but i do think we ought to be realistic as to whether the 99%'ers will ever read their syslog files.
-- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
