On Thu, 11 Oct 2018, Dave Taht wrote:
if any of you are still using cerowrt, and dnssec, it's gonna break
unless you update this, or disable dnssec... I do not know if the new
key was in openwrt 18.06 either...
http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
Just as an operational concern, if you have an old image of something (pre
mid 2017) that doesn't have the new key, it's not going to be able to
download the new key using the old key, as of today.
Any old install might have the key update function implemented and might
have the new key, but as soon as you re-install and the new key is not
there anymore, it'll stop working.
A DNSSEC validating device needs to have functionality to get the root key
somehow and keep it updated. Otherwise it's better to just not validate at
all if one cares about operational availability of the service.
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
Bloat mailing list
Bloat@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/bloat
