Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm)

2009-10-08 Thread Doug Barton
Roy Arends wrote: I find it worrying that folks intend to test or practice operational procedures by doing it often on a live production system. What if that test or practice fails? Whoops, we were testing it on the live system, we failed, good thing we called it a test There is also a risk

Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)

2009-10-08 Thread Olaf Kolkman
On Oct 7, 2009, at 2:44 PM, Eric Rescorla wrote: From this perspective we might roll a ZSK more frequently than a KSK because the ZSK needs to be stored on-line to facilitate re-signing when the zone changes. With the KSK we have the option of keeping it off-line, and arguably the risk

Re: [DNSOP] I-D Action:draft-ietf-dnsop-as112-ops-03.txt

2009-10-08 Thread Chris Hills
On 06/10/09 03:30, internet-dra...@ietf.org wrote: Many sites connected to the Internet make use of IPv4 addresses which are not globally unique. Examples are the addresses designated in RFC1918 for private use within individual sites. Should this be extended to include RFC4193 unique local

Re: [DNSOP] I-D Action:draft-ietf-dnsop-as112-ops-03.txt

2009-10-08 Thread Joe Abley
On 2009-10-08, at 17:13, Chris Hills wrote: On 06/10/09 03:30, internet-dra...@ietf.org wrote: Many sites connected to the Internet make use of IPv4 addresses which are not globally unique. Examples are the addresses designated in RFC1918 for private use within individual sites. Should

Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm)

2009-10-08 Thread Todd Glassey
Doug Barton wrote: Roy Arends wrote: I find it worrying that folks intend to test or practice operational procedures by doing it often on a live production system. What if that test or practice fails? Whoops, we were testing it on the live system, we failed, good thing we called it a test

Re: [DNSOP] I-D Action:draft-ietf-dnsop-as112-ops-03.txt

2009-10-08 Thread Mark Andrews
In message fa3f9a93-eaf3-4142-8a33-ba7e72f88...@hopcount.ca, Joe Abley writes : On 2009-10-08, at 17:13, Chris Hills wrote: On 06/10/09 03:30, internet-dra...@ietf.org wrote: Many sites connected to the Internet make use of IPv4 addresses which are not globally unique. Examples are

Re: [DNSOP] I-D Action:draft-ietf-dnsop-as112-ops-03.txt

2009-10-08 Thread William F. Maton Sotomayor
On Thu, 8 Oct 2009, Joe Abley wrote: Should this be extended to include RFC4193 unique local ipv6 unicast addresses (i.e. [cd].f.ip6.arpa.)? I seem to remember having that discussion a long time ago, maybe in concert with discussion of marka's local-zones draft. It was the Prague IETF in

Re: [DNSOP] I-D Action:draft-ietf-dnsop-as112-ops-03.txt

2009-10-08 Thread William F. Maton Sotomayor
On Thu, 8 Oct 2009, Chris Hills wrote: On 06/10/09 03:30, internet-dra...@ietf.org wrote: Many sites connected to the Internet make use of IPv4 addresses which are not globally unique. Examples are the addresses designated in RFC1918 for private use within individual sites. Should this be