This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
- Previous message (by thread): [dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
- Next message (by thread): [dns-wg] DNSSEC Signer Replacement Project
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Feb 8 16:22:52 CET 2010
morning Ed - thanks for reminding me. in that vein, there is a pending proposal to provide a proof of concept implementation of Internet-based "over the air" re-keying to facilitate un-scheduled key rollover. We've not (yet) augmented it to inculde an MofN set of hooks - but that would go a -long- way toward the "on the shelf" problem that RFC 5011 does not address well. Once we get it working, it is possible that we might bring it to the IETF for consideration. --bill On Mon, Feb 08, 2010 at 09:33:36AM -0500, Edward Lewis wrote: > At 15:12 +0100 2/8/10, Peter Koch wrote: > > >well, this may not lead anywhere useful. > > Regretfully I agree with Peter on this point and in that way. > > ;) > > No matter how long the Secure Entry Points (aka KSK) are in use, > there will be a on-the-shelf piece of equipment that is turned on > after the keys are history. > > Bill Manning made attempts to characterize that problem years ago - > the most recent San Diego IETF if I recall correctly. Every time > someone has a case that solves for up to N, there's a case for N+1. > (Months, zones, servers, years, you name it.) > > Remember that DNSSEC is there to protect the resolver. I don't think > there is any (or going to be any) one way that is manageable, > scale-able, non-commercial (and/or open-source), quick, cheap, > in-line, dynamic and convenient for zone operators to use to inform > all recursive servers that there are new SEPs - whether just for the > root zone or for all the zones, or even just for the roots of > DNSSEC-ized subtrees. > > Well, no "one way" known in advance of deployment. > > Perhaps in two or three years we'll have an answer. Or in two or > three years network administrators will just put up with "the jungle > out there." > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis > NeuStar You can leave a voice message at +1-571-434-5468 > > As with IPv6, the problem with the deployment of frictionless surfaces is > that they're not getting traction.
- Previous message (by thread): [dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
- Next message (by thread): [dns-wg] DNSSEC Signer Replacement Project
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]