On 2013-04-06, at 16:55, Tony Finch <d...@dotat.at> wrote: > On 3 Apr 2013, at 17:38, Evan Hunt <e...@isc.org> wrote: >> >> Then there's the issue Paul mentioned -- gear configured with a root KSK >> that gets switched off and not rebooted for a few months or years, and then >> no longer works and can't recover. > > Validator vendors have to provide an out-of-band trust anchor update > mechanism to cope with this. It needs to be coded and included in long-term > support releases of validators and operating systems before rollover, I think.
draft-jabley-dnsop-validator-bootstrap. > I am not sure if ICANN intend their trust anchor download server to be used > for this purpose or if vendors are expected to provision their own mirrors. Our server is fine. Others' servers are also fine, although we would likely prefer to wrap some small process around contact info, notifications when there is new content, etc. > I also don't know how to assess the trustworthiness of ICANN's signatures on > the trust anchor. draft-jabley-dnsop-validator-bootstrap. There is some work required on the details, but the intended direction should be clear. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
