Moin! On 06.04.2013, at 11:04, Tony Finch <d...@dotat.at> wrote: > On 3 Apr 2013, at 16:11, Paul Wouters <p...@nohats.ca> wrote: > >> It's the vendors of equipment supporting DNSSEC that have >> the real issues. If they shipped with a root anchor, and their stuff >> is offline for 5 years and turned on, their DNS will be broken and 5011 >> isn't going to be useful to them..... > > The real problem occurs when the latest release of the validator software was > published before the rollover, and you install it after the rollover. It is > perfectly reasonable to install software that is a few months old. I don't think that this is the real problem. The real problem is when a validator has a history of 5011 keys and gets shut down for a year or a couple of months while the root KSK rolls.
Initially it might be better for validators instead of being shipped with a Key to follow draft-jabley-dnssec-trust-anchor to get the initial root key. There are some implementations out there that already do this. I think it might be good to extend draft-jabley-dnsop-validator-bootstrap to also cover problems introduced by root KSK rollover in order to give people guidance in case their bootstrap process is stuck. I'll also add these comments to the ICANN root key roll consultation page later (just returned from vacation). So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.we...@nominum.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
