On 2012-07-07 16:45, Doug Barton wrote:
Also re DNSSEC integration in the base, I've stated before that I believe very strongly that any kind of hard-coding of trust anchors as part of the base resolver setup is a bad idea, and should not be done. We need to leverage the ports system for this so that we don't get stuck with a scenario where we have stale stuff in the base that is hard for users to upgrade.
Considering the current root update cert bundle has a 20-year root CA and 5-year DNSSEC and email CAs, I don't think it's unreasonable to maintain a copy of icannbundle.pem in the source tree or simply rely on the copy built into unbound-anchor.
_______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
