At 11:23 -0700 9/8/09, David Conrad wrote:
On Sep 8, 2009, at 10:13 AM, Paul Wouters wrote:
I am not sure what appliance or software setup '.pr' uses, but it
should have
never allowed to finish the key rollover with the bad key in the ISC DLV.
Hmm.
So, in order to roll a key, you have to ensure DLV registries have
replaced the keys, even when the DLV registries obtain the originals
indirectly?
Seems a bit broken to me.
That's not broken, that's reality. My guidance is that we
(operators) have to take reasonable steps to prevent relying parties
from suffering consequences. When an emergency supercession is
needed, a nasty choice may need to be made.
Instead of complaining more about this, we need to figure out what
why this is a weakness in DNSSEC operations and come up with a
solution.
It's too late for weeping and wailing...
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
