On Tue, 8 Sep 2009, Edward Lewis wrote:
I guess we need a MUCH better communication method between TLD's, iTAR
and ISC's DLV. This is bad.
What do we need?
- A tool for key owners to detect proper progatation of their new key, so
they know when it is safe to complete the rollover by removing the old
trust anchor. This should be part of any DNSSEC Signer solution.
- Better checks in the ISC DLV. It should have spotted this. Perhaps it did,
but did not know who to contact.
- A tool for resolvers to detect and roll over trust anchors (eg autotrust
deployed)
None of these interfaces have been treated by the standards bodies. When
designing a TLDs DNSSEC mechanics the interface and protocol for publicizing
the SEP is still a grey "TBD" box. That's a risk area.
At least for TLD's, we expect this to be fixed in December with a signed root.
I am not sure what appliance or software setup '.pr' uses, but it should have
never allowed to finish the key rollover with the bad key in the ISC DLV.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
