On 2018-10-11 17:48, Alec Warner wrote: > This thread is missing a bunch of context...so I'll try to add it I guess.
All you need to know in this commit message, included linked bug report
for more details. :)
> I can't tell if the complaint is that:
>
> 1) Someone blind-stabled something on arm and it broke (doesn't build?)
> 2) The arm team failed to mark a package stable before a hard deadline
> (DNSSEC key rotation)
>
> I presume its the latter? Whats the impact? All DNS, or only DNSSEC
> validated entries?
It's the latter. It will affect anyone running an own DNS resolver like
net-dns/unbound on ARM with DNSSEC enabled (not default) using keys
provided by net-dns/dnssec-root package.
Of course anyone familiar with DNSSEC or unbound maybe knows how to
workaround:
- Enable auto-anchor update; However it is too late to do that know,
it will take ~30 days until the new learned key will become trusted.
Same applies to any *new* setup within last 30 days.
- Use unbound-anchor tool to force a manual immediate update.
- Disable DNSSEC validation.
But that's not the point here. The point was to get some attention that
again we have a lacking architecture (net-dns/dnssec-root is not the
only package where ARM arch team is lacking behind) which affects anyone
"trusting" somehow in STABLE keywords.
If everyone is using ~ARCH and don't care about STABLE keywords, well,
we could save a bunch of time, energy...
--
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
signature.asc
Description: OpenPGP digital signature
