In message <[email protected]>, Edward Lewis writes: > > How many operational instances of "Automated Updates" [RFC 5011] are there?
DLV.ISC.ORG is formally doing RFC 5011. DLV.ISC.ORG is listed as a managed-key in named's distribution. We have not performed a key rollover however. > Besides the root zone KSK, I don't know of any. I do some monitoring of > DNSSEC practices, years ago I noticed one TLD appearing to follow > RFC 5011's semantics. But in recent looks that TLD seems to have > abandoned the practice (I've never made contact to confirm). In a scan > of second-level names a month ago, I found only traces of revoked keys > (KSK and ZSK!). You can't tell if a zone is following RFC 5011 or not without asking the operators or the operators stating so publically. This statement really should be published in the DNS. > I ask because of the issues raised in the thread regarding the number of > keys assumed in the operation. Automated Updates apparently (to > me) was defined with more than one active secure entry point in mind, but > in practice, the only operating example I've witnessed of Automa > ted Updates relies on a single active secure entry point. > > I've asked around (tool developers) and, so far, no other examples have > popped up. I'm sure there are some out there. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
