I'm not on the yum / RPM list and I don't know that I want to join just to discuss this but with respect GPG keys - it is a classic example of trust on first use. The first time yum installs a package, it asks to import the GPG key used to sign the packages. Most people accept without validating the key. This is potentially exploitable because most repositories are http What if there was a DNS TXT record that corresponds with the repository, with the fingerprint of the key? The DNS record could be DNSSEC secured (I believe Fedora already uses DNSSEC - some of their servers anyway) and yum could refuse to ask if the fingerprint of the key it is importing does not match the DNSSEC secured fingerprint. Something like TXT record for _rpmkey.security.centos.org. could be requested for the fingerprint for security at centos.org Advantage over gpg keyrings is that it can be implemented by anyone without needing to manage your keys with specific gpg keyrings, which has always been messy. When yum is first asked to import a key, it refuses if it can not DNSSEC validate the fingerprint. After it DNSSEC validates the fingerprint, it can then does what it currently does, where the user can verify they trust the key. To get a fingerprint in the centos.org zone and signed by DNSSEC would not be easy for a malicious packager to do. Furthermore when a signing key has been compromised (happened with Fedora once) changing the DNS record would prevent the key from being imported in the future, and could even prevent packages signed by that key from being installed in the future even if the key is already imported. For offline yum usage, a switch could be used to tell yum not to do the DNS lookup and DNSSEC validation. Thoughts?