On Thu, 23 Apr 2009, Joe Abley wrote: [ enabling DNSSEC from stale install media that has an old trust anchor ]
I don't like the idea of incorporating magic numbers (e.g. "nine months") algorithmically when trying to determine suitability of an old trust anchor.
I don't like it either, but currently, I don't see how to avoid this. The problem might not be as severe, since when installing a new machine and getting updates, one would think the newly installed machine is not using itself as a resolver, since we only enable dnssec on resolvers now, not on every install (yet). But once every install gets dnssec, one reboot would do it. But perhaps that can be caught with the "firstboot" feature of Fedora (I'm sure Ubuntu has similar features)
But it seems like a bad idea to package trust anchors administered by others with any piece of software, if there's a chance that those trust anchors are going to form a circular dependency in the process of updating them.
Circular dependancies are very common in the OS building/shipping model. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
