On Mon, Jun 29, 2015 at 8:03 PM, manning <bmann...@karoshi.com> wrote:

> Why, yes, I still do.  (and it can be found in the IEtF archives)
> https://tools.ietf.org/html/draft-ietf-dnsext-trustupdate-threshold-01
>
> As to why,  perhaps I am missing the obvious, but if SUDSTA proceeds, does
> it matter if the origin IP of the root zone being served
> is sporadically distributed?   It seems that one could not presume to have
> the data to assert the penetration of the new keys nor the
> origin of the stale keys, if that information was diffused through the IP
> address space.
>
>
> manning
> bmann...@karoshi.com
> PO Box 12317
> Marina del Rey, CA 90295
> 310.322.8102
>
>
>
> On 29June2015Monday, at 16:28, David Conrad <d...@virtualized.org> wrote:
>
> > Bill,
> >
> >> This looks very much like the draft that Olaf, Johan, and I wrote at
> the same time MSJ was proposing what we have now.
> >> You might want to talk to either Olaf or Johan for more details.
> >
> > Don't suppose anyone has a copy of that draft?
> >
> >> And yes, this will fail if any of the loopback drafts are deployed.
> >
> > Sorry, I must be missing something obvious. Why?
> >
> > Regards,
> > -drc
> >
>
> Either method seems usable, but we really need one of them deployed

Local root on loopback - if they update the root zone regularly, it should
just work, right?  If they don't update, they will keep validating with the
old root keys - will the next level break as soon as the old root key is
gone, or only when a subzone rolls their key based on the new root key?

-- 
Bob Harold
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to