[134220] in North American Network Operators' Group
Re: .gov DNSSEC operational message - picking a fight
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Wed Dec 29 11:37:01 2010
Date: Wed, 29 Dec 2010 16:36:30 +0000
From: bmanning@vacation.karoshi.com
To: Tony Finch <dot@dotat.at>
In-Reply-To: <B181BA24-E722-49A2-B838-ABDA3C7DB6B8@dotat.at>
Cc: "bmanning@vacation.karoshi.com" <bmanning@vacation.karoshi.com>,
"nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Dec 29, 2010 at 02:56:35PM +0000, Tony Finch wrote:
> On 28 Dec 2010, at 22:46, bmanning@vacation.karoshi.com wrote:
> >
> > IMHO, key management should be able to use an OOB channel
> > when the in-band is corrupted or overlaoded. Reliance on
> > strictly the IB channel presumes there will be no problems
> > with that channel. EVER. For me, I don't want to take
> > that risk. YMMV of course.
>
> If normal DNS resolution fails to work then there's no point in getting the keys from another source since there's no data for them to validate.
oh resoultion works a treat. its the validation that gets hosed. :)
--bill
