Bug 626262
| Summary: | bind doesn't include the dns root key | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Scott Schmit <i.grok> |
| Component: | bind | Assignee: | Adam Tkac <atkac> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | atkac, ovasik, pwouters |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | bind-9.7.3-1.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 626238 | Environment: | |
| Last Closed: | 2011-02-27 04:50:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Scott Schmit
2010-08-23 01:03:49 UTC
Root key is included in the Fedora 14 (/etc/named.root.key). I'm not going to release update for F13 which will add the root key. If you think I should reconsider this decision, please reopen this bug. Closing. What's your rationale? (In reply to comment #2) > What's your rationale? Well, in my opinion it's not a good idea to modify default named.conf and include root DNSKEY there because it can cause serious problems (root domain and all it's signed subdomains will be validated instead of domains in DLV). If I include the root DNSKEY in the bind package then, I think, vast majority of people will miss this change and they don't modify their named.conf. Due those reasons I think root DNSKEY inclusion in Fedora 13 doesn't bring any benefit. However as I said in comment #1, if you think I should reconsider my decision then please reopen this bug and I will release an update. I think you should reconsider. You can still validate against both the root and the DLV. Looking at just the TLDs, 37 are in the root and not the DLV, another 9 are in both, and only arpa and kg are in the DLV and not in the root (as of root serial 2010110801). Even so, there are still people using the DLV until .com and .net get secured (ripe.net, etc), so the DLV has use yet. Also, since the format of the root key at the IANA url is different from BIND's, getting the root key via a signed Fedora package is easier & more trustworthy for a less-savvy user, even if you don't choose to enable the root key by default (though if you can reliably do so without breaking configs, I think you should). bind-9.7.3-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc14 bind-9.7.3-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc15 bind-9.7.3-1.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc13 bind-9.7.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update bind'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc14 bind-9.7.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. bind-9.7.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. bind-9.7.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |