On Wed, 16 Nov 2016, Ted Lemon wrote:
Why would you put a device on the shelf for ten years? Is this a real
scenario? This is certainly a known issue that has been talked about at
length--the conclusion when it was discussed is that there is nothing we
can do about it, and it's relatively unlikely, and manually fixable.
How is it manually fixable? By someone to ssh into the device and edit a
file with new key material?
My mom can't do this.
I have personally picked a Cisco AGS out of a unopened box in 2010. By
then it was probably 15-20 (?) years old?
Anyhow, my takeaway from this message is that DNSSEC can't be used as a
mechanism for device autoconfiguration. No device trying to autoconfigure
itself can rely on DNSSEC, because there is a fairly short (few years)
window for that device to get plugged in, because after that it can't
autoconfigure itself.
Correct?
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
