On 3 Apr 2013, at 17:38, Evan Hunt <[email protected]> wrote: > > Then there's the issue Paul mentioned -- gear configured with a root KSK > that gets switched off and not rebooted for a few months or years, and then > no longer works and can't recover.
Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think. I am not sure if ICANN intend their trust anchor download server to be used for this purpose or if vendors are expected to provision their own mirrors. I also don't know how to assess the trustworthiness of ICANN's signatures on the trust anchor. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
