| 1 |
On 2018-10-11 17:48, Alec Warner wrote: |
| 2 |
> This thread is missing a bunch of context...so I'll try to add it I guess. |
| 3 |
|
| 4 |
All you need to know in this commit message, included linked bug report |
| 5 |
for more details. :) |
| 6 |
|
| 7 |
|
| 8 |
> I can't tell if the complaint is that: |
| 9 |
> |
| 10 |
> 1) Someone blind-stabled something on arm and it broke (doesn't build?) |
| 11 |
> 2) The arm team failed to mark a package stable before a hard deadline |
| 12 |
> (DNSSEC key rotation) |
| 13 |
> |
| 14 |
> I presume its the latter? Whats the impact? All DNS, or only DNSSEC |
| 15 |
> validated entries? |
| 16 |
|
| 17 |
It's the latter. It will affect anyone running an own DNS resolver like |
| 18 |
net-dns/unbound on ARM with DNSSEC enabled (not default) using keys |
| 19 |
provided by net-dns/dnssec-root package. |
| 20 |
|
| 21 |
Of course anyone familiar with DNSSEC or unbound maybe knows how to |
| 22 |
workaround: |
| 23 |
|
| 24 |
- Enable auto-anchor update; However it is too late to do that know, |
| 25 |
it will take ~30 days until the new learned key will become trusted. |
| 26 |
Same applies to any *new* setup within last 30 days. |
| 27 |
|
| 28 |
- Use unbound-anchor tool to force a manual immediate update. |
| 29 |
|
| 30 |
- Disable DNSSEC validation. |
| 31 |
|
| 32 |
But that's not the point here. The point was to get some attention that |
| 33 |
again we have a lacking architecture (net-dns/dnssec-root is not the |
| 34 |
only package where ARM arch team is lacking behind) which affects anyone |
| 35 |
"trusting" somehow in STABLE keywords. |
| 36 |
|
| 37 |
If everyone is using ~ARCH and don't care about STABLE keywords, well, |
| 38 |
we could save a bunch of time, energy... |
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
Regards, |
| 43 |
Thomas Deutschmann / Gentoo Linux Developer |
| 44 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives