On Apr 4, 2013, at 12:45 PM, Jim Reid <[email protected]> wrote: > On 3 Apr 2013, at 16:11, Paul Wouters <[email protected]> wrote: > >> It's the vendors of equipment supporting DNSSEC that have >> the real issues. If they shipped with a root anchor, and their stuff >> is offline for 5 years and turned on, their DNS will be broken and 5011 >> isn't going to be useful to them..... > > Fair enough Paul, but how much of a problem could that realistically be and > is it worth bothering about? > > I think nothing is needed here except perhaps a statement of the bleeding > obvious: "if you miss too many key rollovers, Very Bad Things will happen so > make sure you have a foolproof way of recovering from that".
We need that statement because it's *not* bleeding obvious. I cannot think of a single thing built into a 2007-era ISO of a Linux distro that would have the property similar to "it will automatically give mysterious results for DNS service". It might have lots of unsafe software turned on, but none that will say "I'll serve you" but then it doesn't. > eg Have some out of band means of fetching and verifying the current version > of the One True Trust Anchor. And has the IETF supplied anything like that? If not, should ICANN wait for the first roll until we have? --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
