[107163] in North American Network Operators' Group
Re: US government mandates? use of DNSSEC by federal agencies
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Aug 27 13:24:18 2008
Date: Wed, 27 Aug 2008 17:24:05 +0000
From: Leo Bicknell <bicknell@ufp.org>
To: NANOG list <nanog@nanog.org>
Mail-Followup-To: NANOG list <nanog@nanog.org>
In-Reply-To: <FEE64678-BE98-413C-8CBC-782B20182B6B@virtualized.org>
Errors-To: nanog-bounces@nanog.org
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad=
wrote:
> Note that if you do turn on DNSSEC, you're going to have to make sure =20
> the trust anchors you configure get updated. Trust anchors have a =20
> validity period and if they're not updated before they expire =20
> validation will fail (which will appear to users of the resolver =20
> pretty much like a DNS failure for all the names in the signed zone). =
=20
> "Be careful out there."
While signing the root is the best solution, an alternate solution
until that happens is DLV, as documented in RFC 4431. You can run
your own setup, or trust someone to do it for you. Note that ISC
runs a DLV registry, if you wanted to trust them:
https://secure.isc.org/index.pl?/ops/dlv/
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFItY2yNh6mMG5yMTYRAh9aAJ9i7K7aJvEEknmAuK9S9sKWUyjrZQCeLxHB
OTIKqNK8OC0WCYXrNypIewU=
=r7DD
-----END PGP SIGNATURE-----
--vkogqOf2sHV7VnPd--
