1 |
On 2018-10-11 17:48, Alec Warner wrote: |
2 |
> This thread is missing a bunch of context...so I'll try to add it I guess. |
3 |
|
4 |
All you need to know in this commit message, included linked bug report |
5 |
for more details. :) |
6 |
|
7 |
|
8 |
> I can't tell if the complaint is that: |
9 |
> |
10 |
> 1) Someone blind-stabled something on arm and it broke (doesn't build?) |
11 |
> 2) The arm team failed to mark a package stable before a hard deadline |
12 |
> (DNSSEC key rotation) |
13 |
> |
14 |
> I presume its the latter? Whats the impact? All DNS, or only DNSSEC |
15 |
> validated entries? |
16 |
|
17 |
It's the latter. It will affect anyone running an own DNS resolver like |
18 |
net-dns/unbound on ARM with DNSSEC enabled (not default) using keys |
19 |
provided by net-dns/dnssec-root package. |
20 |
|
21 |
Of course anyone familiar with DNSSEC or unbound maybe knows how to |
22 |
workaround: |
23 |
|
24 |
- Enable auto-anchor update; However it is too late to do that know, |
25 |
it will take ~30 days until the new learned key will become trusted. |
26 |
Same applies to any *new* setup within last 30 days. |
27 |
|
28 |
- Use unbound-anchor tool to force a manual immediate update. |
29 |
|
30 |
- Disable DNSSEC validation. |
31 |
|
32 |
But that's not the point here. The point was to get some attention that |
33 |
again we have a lacking architecture (net-dns/dnssec-root is not the |
34 |
only package where ARM arch team is lacking behind) which affects anyone |
35 |
"trusting" somehow in STABLE keywords. |
36 |
|
37 |
If everyone is using ~ARCH and don't care about STABLE keywords, well, |
38 |
we could save a bunch of time, energy... |
39 |
|
40 |
|
41 |
-- |
42 |
Regards, |
43 |
Thomas Deutschmann / Gentoo Linux Developer |
44 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |