This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
- Previous message (by thread): [dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
- Next message (by thread): [dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Edward Lewis
Ed.Lewis at neustar.biz
Mon Feb 8 15:33:36 CET 2010
At 15:12 +0100 2/8/10, Peter Koch wrote: >well, this may not lead anywhere useful. Regretfully I agree with Peter on this point and in that way. ;) No matter how long the Secure Entry Points (aka KSK) are in use, there will be a on-the-shelf piece of equipment that is turned on after the keys are history. Bill Manning made attempts to characterize that problem years ago - the most recent San Diego IETF if I recall correctly. Every time someone has a case that solves for up to N, there's a case for N+1. (Months, zones, servers, years, you name it.) Remember that DNSSEC is there to protect the resolver. I don't think there is any (or going to be any) one way that is manageable, scale-able, non-commercial (and/or open-source), quick, cheap, in-line, dynamic and convenient for zone operators to use to inform all recursive servers that there are new SEPs - whether just for the root zone or for all the zones, or even just for the roots of DNSSEC-ized subtrees. Well, no "one way" known in advance of deployment. Perhaps in two or three years we'll have an answer. Or in two or three years network administrators will just put up with "the jungle out there." -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction.
- Previous message (by thread): [dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
- Next message (by thread): [dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]