>Did you see my original response? Proposals for automatic DNSSEC trust >anchor updating *do* exist.
Is there any document that deals with the situation where a device has been in a box for 10 years and then has to bootstrap automatically? I'm not aware of any. But maybe there is. Note that by and large such a device has no idea about time. NTP is not secure. Any key material stored on the box is no longer valid. If the answer to DNSSEC bootstrapping is use TLS, then there is still the question what about time, is the certificate that was stored on the box 10 years ago still usable. Are there resolvers (and libraries like getdns) that can transition from not having any trust anchors to full DNSSEC validation. Do other parts of the same system see either DNSSEC failures or answers that were not validated. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
