On Mon, 4 Oct 2010, Joe Abley wrote: > On 2010-10-04, at 11:33, Tony Finch wrote: > > On Mon, 4 Oct 2010, Joe Abley wrote: > >> > >> I have not heard a clear description of a problem yet > > > > How can a system that missed a TA rollover bootstrap its DNSSEC validator? > > The same way that it bootstraps itself at day zero.
I expect that validators will ship with an initial TA built in (e.g. as BIND does for DLV) which means the two scenarios are very different. Even if the validator does not ship with an initial TA, there is still a big difference between no TA and a broken TA, so the validator still has to be able to work out if the breakage is benign or malicious. It would be nice to see some evidence that other people are thinking about this problem seriously and in detail rather than brushing off my questions :-/ Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
