On 3 Apr 2013, at 16:11, Paul Wouters <p...@nohats.ca> wrote: > It's the vendors of equipment supporting DNSSEC that have > the real issues. If they shipped with a root anchor, and their stuff > is offline for 5 years and turned on, their DNS will be broken and 5011 > isn't going to be useful to them.....
Fair enough Paul, but how much of a problem could that realistically be and is it worth bothering about? I think nothing is needed here except perhaps a statement of the bleeding obvious: "if you miss too many key rollovers, Very Bad Things will happen so make sure you have a foolproof way of recovering from that". eg Have some out of band means of fetching and verifying the current version of the One True Trust Anchor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop