On Fri, 2 Apr 2010, Poul-Henning Kamp wrote: > The result of the RFC was that bind is not a mandatory component to make "a > usable system", so you argument suffers from bad logic. With an eye on the date of Doug's suggestive e-mail, I actually am concerned that we maintain support for DNSSEC validation in the base system. If this can be accomplished by keeping DNS debugging tools and the lightweight resolver in the base, then I'm fine with that world view. However, if we can't do DNSSEC record validation without installing the BIND package, then that worries me. As we go forward, DNSSEC is going to become increasingly important, and being unable to bootstrap a system will be a problem, and it will become an increasingly critical part of the security bootstrap process for networked systems. While some DNSSEC folk consider it anathema ("DNS is not a directory service!"), the ability to securely distribute keying material via an existing network service has enourmous value: for example, early DNSSEC prototypes in the late 1990's/early 2000's included SSH key distribution via cert records in DNSSEC. Similarly, as proposals to tie DHCP security and mobility security to DNSSEC expand, any decision to require a package to do DNSSEC would mean any component depending on that also has to be outside our base. If all requirements along these lines are met by the lightweight resolver, then this is less of a concern. RobertReceived on Fri Apr 02 2010 - 08:52:21 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:02 UTC