Paul Vixie <p...@redbarn.org> wrote: > > i suggest that bind, unbound, powerdns, and so on change their packaging to > put the trust anchor in a different upgradeable package (.deb, .rpm, etc) > than the software itself. until and unless the package manager is secured by > DANE rather than by ssh/pgp/x509/etc, then the solution for being on the > shelf for several months is, do a software update before you try to go > online.
I think that's a good suggestion for the short term. For the longer term I would like it to be possible to say that DANE is a reasonable way to authenticate software updates, but at the moment it is not. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Viking, North Utsire, South Utsire: Variable, mainly northerly 3 or 4, occasionally 5 for a time. Slight or moderate. Wintry showers. Good occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop