This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] RIPE NCC DNSSEC trust anchors
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC trust anchors
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC trust anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Peter Koch
pk at DENIC.DE
Thu Nov 13 18:38:37 CET 2014
Anand, all, On Thu, Nov 13, 2014 at 03:54:54PM +0100, Anand Buddhdev wrote: > 151.76.62.in-addr.arpa > ripe.int > ripen.cc > On Tuesday, 11 November 2014, we rolled our DNSSEC Key Signing Keys > and added the new trust anchors for these three zones to the ISC > DLV TAR. Because we believe manual configuration of trust anchors is > very rare these days, we are taking this opportunity to stop publishing > trust anchors for these three zones on our website. The trust anchors > remain available via the ISC DLV TAR. Of course, as soon as we are Thanks for this note. I'd rather not see the RIPE NCC further endorse the DLV technology and service by continuing to submit key material there. DLV was meant as a temporary deployment aid and might have been a good idea at its time. Nowadays, I consider it detrimental to deployment because it complicates matters for everybody deciding to actually validate (getting those figures up is the real challenge). Manually configured trust anchors aren't the ultimate wisdom, either, so with regard to the three zones above I wonder a) what is the actual benefit of extra steps for publishing the KSK out of band (continued signing obviously stremlines processes)? b) what steps could be taken to get the TA published the "natural" way? This is probably most interesting for the INT TLD, given all the current transition debate. Regards, Peter (no hat)
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC trust anchors
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC trust anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]