At 11:29 AM -0700 8/15/08, David Conrad wrote:
Given this, does anyone see any DNS security and/or stability concerns if a miracle were to happen and the root were to be signed tomorrow?
Yes, at the time of the first root key rollover. Well, to be more specific, at the time that all of the keys in the first announced set of root keys have been retired. Given the little effort that has been made in helping rDNS operators understand that they have to keep their trust anchors up to date, we should expect them to treat trust anchors the same way they treat root hints.
Even if the root rollovers are done following RFC 5011, this only helps rDNS operators running 5011-aware resolvers. All the rest will be out of luck when the last key they have in their dusty config file is removed.
--Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
