From marka@isc.org Thu Nov 17 03:56:56 2016 In-Reply-To: Your message of "Thu, 17 Nov 2016 03:46:33 -0000." X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-RT-Interface: API References: content-type: text/plain; charset="utf-8" Message-ID: <20161117035644.E572B5A5BED1@rock.dv.isc.org> X-RT-Original-Encoding: utf-8 Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id 9A3D371B5A8 for ; Thu, 17 Nov 2016 03:56:55 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id F3B511FCABC for ; Thu, 17 Nov 2016 03:56:48 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id CD8D6160044 for ; Thu, 17 Nov 2016 03:56:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id BB9EC160053 for ; Thu, 17 Nov 2016 03:56:47 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id sXd4scE4ddlc for ; Thu, 17 Nov 2016 03:56:47 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 6481A160044 for ; Thu, 17 Nov 2016 03:56:47 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id E572B5A5BED1 for ; Thu, 17 Nov 2016 14:56:44 +1100 (EST) Delivered-To: bind9-bugs@bugs.isc.org Subject: Re: [ISC-Bugs #43670] Warn on seeing trusted-keys option in config Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Thu, 17 Nov 2016 14:56:44 +1100 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org To: bind9-bugs@isc.org From: "Mark Andrews" RT-Message-ID: Content-Length: 1193 In message , "Mukund Sivaraman via RT" writes: > Warren Kumari asked today (IETF meeting) that we warn whenever we notice a tr > usted-keys option in config, that it is a fixed trust anchor and that users s > hould ideally be using managed-keys. > > I asked him (and Jim Martin who was sitting next to him) if he expected BIND > to warn just for the root or for any trust point and he said it should be any > . > > From a previous discussion at ICANN with him, I think he fears that many BIN > D tutorials from history have described using trusted-keys, and so, many user > s have resolvers setup with use trusted-keys in config. managed-keys are for keys where the adminstrator has stated they they are using RFC 5011. I know of exactly two of these. The root and dlv.isc.org. Warning for "." and "dlv.isc.org" when they match the built-in managed keys would be appropriate. Warning for keys in both trusted-keys and managed-key would be appropriate. Anything else should not be flagged. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org