In message <[email protected]>, Nicholas Weaver writes: > > On Apr 4, 2013, at 1:19 PM, Paul Hoffman <[email protected]> wrote: > >> I think nothing is needed here except perhaps a statement of the > >> bleeding obvious: "if you miss too many key rollovers, Very Bad Things > >> will happen so make sure you have a foolproof way of recovering from > >> that". > > > > We need that statement because it's *not* bleeding obvious. I cannot > > think of a single thing built into a 2007-era ISO of a Linux distro that > > would have the property similar to "it will automatically give mysterious > > results for DNS service". It might have lots of unsafe software turned > > on, but none that will say "I'll serve you" but then it doesn't. > > Also, there is a LOT of old, NEVER updated, 5 year old networking kit out > there. Well, fortunately they are often clueless about DNSSEC, but > still... > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
The real problem here is that 5011 is a hack. It overloads SEP. It makes for a bigger DNSKEY rrset. It doesn't provide for per zone refresh policy. It doesn't give guidance for effectivity interval for DNSKEYs. Validators need to have end dates for DNSKEYS. If it starts up after that date it goes to all insecure. At the moment a DNSKEY is valid till the end of time. You can recover relatively easily from all insecure. Recovering from all bogus is much harder. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
