On 2013-04-04, at 16:23, Nicholas Weaver <nwea...@icsi.berkeley.edu> wrote:
> > On Apr 4, 2013, at 1:19 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: >>> I think nothing is needed here except perhaps a statement of the bleeding >>> obvious: "if you miss too many key rollovers, Very Bad Things will happen >>> so make sure you have a foolproof way of recovering from that". >> >> We need that statement because it's *not* bleeding obvious. I cannot think >> of a single thing built into a 2007-era ISO of a Linux distro that would >> have the property similar to "it will automatically give mysterious results >> for DNS service". It might have lots of unsafe software turned on, but none >> that will say "I'll serve you" but then it doesn't. > > Also, there is a LOT of old, NEVER updated, 5 year old networking kit out > there. Well, fortunately they are often clueless about DNSSEC, but still... I'm guessing that *all* kit today that has been on the shelf for the past 5 years is clueless about the current root zone trust anchor, considering that we generated it less than 3 years ago :-) Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop