On Thu, 4 Apr 2013, Joe Abley wrote:
We need that statement because it's *not* bleeding obvious. I cannot think of a single thing built
into a 2007-era ISO of a Linux distro that would have the property similar to "it will
automatically give mysterious results for DNS service". It might have lots of unsafe software
turned on, but none that will say "I'll serve you" but then it doesn't.
Also, there is a LOT of old, NEVER updated, 5 year old networking kit out
there. Well, fortunately they are often clueless about DNSSEC, but still...
I'm guessing that *all* kit today that has been on the shelf for the past 5
years is clueless about the current root zone trust anchor, considering that we
generated it less than 3 years ago :-)
But we designed DNSSEC in such a way that the 5 year old kit will still
work as (insecurely) as it was designed 5 years ago. That's not true if
we find root key copies in firmware now.
But we all had these discussions before, we had a draft for a special
zone that would contain historic root keys, etc. We just never found
something that would properly work (I believe the thread was entitled
"big router vendor" or something along those lines)
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
