On 2012-07-08 02:31, Doug Barton wrote:
On 07/07/2012 17:47, Darren Pilgrim wrote:
On 2012-07-07 16:45, Doug Barton wrote:
Also re DNSSEC integration in the base, I've stated before that I
believe very strongly that any kind of hard-coding of trust anchors as
part of the base resolver setup is a bad idea, and should not be done.
We need to leverage the ports system for this so that we don't get stuck
with a scenario where we have stale stuff in the base that is hard for
users to upgrade.
Considering the current root update cert bundle has a 20-year root CA
and 5-year DNSSEC and email CAs,
Neither of which has any relevance to the actual root zone ZSK, which
could require an emergency roll tomorrow.
Emergency root key change is handled by just running unbound-anchor
again and have it download the new ZSK. The only thing it can't do is
retrieve the root cert chain--it either uses the compiled-in copy or a
PEM file passed with the -c flag.
Am I missing something in that process?
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
