at least from where I sit, it looks like it went well. On Thu, Oct 11, 2018 at 11:54 PM Mikael Abrahamsson <swm...@swm.pp.se> wrote: > > On Thu, 11 Oct 2018, Dave Taht wrote: > > > if any of you are still using cerowrt, and dnssec, it's gonna break > > unless you update this, or disable dnssec... I do not know if the new > > key was in openwrt 18.06 either... > > > > http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/ > > Just as an operational concern, if you have an old image of something (pre > mid 2017) that doesn't have the new key, it's not going to be able to > download the new key using the old key, as of today. > > Any old install might have the key update function implemented and might > have the new key, but as soon as you re-install and the new key is not > there anymore, it'll stop working. > > A DNSSEC validating device needs to have functionality to get the root key > somehow and keep it updated. Otherwise it's better to just not validate at > all if one cares about operational availability of the service. > > -- > Mikael Abrahamsson email: swm...@swm.pp.se
-- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740 _______________________________________________ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat