This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC trust anchors for unsigned zones
- Previous message (by thread): [dns-wg] Re: [apnic-talk] AAAA records to be added for root servers
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Wed Jan 30 11:34:33 CET 2008
Hi The current set of trust anchors distributed by RIPE NCC (<https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt>) includes the domains disi.nl example.net pwei.net None of these currently have any DNSSEC resource records (i.e. they are insecure), which effectively brakes those zones for everybody who uses that particular set of trust anchors. I guess this shows one of the operational problems with trust anchor management. These zones are not maintained by RIPE NCC itself and the administrators probably didn't bother to tell them that they've disabled DNSSEC (if they know or remember at all that their keys are distributed by a third party). I guess it would be more prudent for RIPE NCC to only distribute the keys for their own zones (those listed on <https://www.ripe.net/projects/disi//keys/>). -- Alex
- Previous message (by thread): [dns-wg] Re: [apnic-talk] AAAA records to be added for root servers
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]