On Mon, Jun 29, 2015 at 8:03 PM, manning <bmann...@karoshi.com> wrote:
> Why, yes, I still do. (and it can be found in the IEtF archives) > https://tools.ietf.org/html/draft-ietf-dnsext-trustupdate-threshold-01 > > As to why, perhaps I am missing the obvious, but if SUDSTA proceeds, does > it matter if the origin IP of the root zone being served > is sporadically distributed? It seems that one could not presume to have > the data to assert the penetration of the new keys nor the > origin of the stale keys, if that information was diffused through the IP > address space. > > > manning > bmann...@karoshi.com > PO Box 12317 > Marina del Rey, CA 90295 > 310.322.8102 > > > > On 29June2015Monday, at 16:28, David Conrad <d...@virtualized.org> wrote: > > > Bill, > > > >> This looks very much like the draft that Olaf, Johan, and I wrote at > the same time MSJ was proposing what we have now. > >> You might want to talk to either Olaf or Johan for more details. > > > > Don't suppose anyone has a copy of that draft? > > > >> And yes, this will fail if any of the loopback drafts are deployed. > > > > Sorry, I must be missing something obvious. Why? > > > > Regards, > > -drc > > > > Either method seems usable, but we really need one of them deployed Local root on loopback - if they update the root zone regularly, it should just work, right? If they don't update, they will keep validating with the old root keys - will the next level break as soon as the old root key is gone, or only when a subzone rolls their key based on the new root key? -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
