On Thu, 17 Nov 2016, Ted Lemon wrote:
Embedded systems of this sort need to have a management process so that
that can be updated. This is needed for more reasons than DNSSEC. Putting a
ten year old device on a network without upgrading the firmware is
irresponsible.
We have been discussing zerotouch (ie 0 day no-human-intervention plugin
of device). This includes the device configuring itself by means of
different methods, and also software-updating itself before it starts to
provide any services.
DNSSEC (possibly DANE) has been proposed to be one way of finding this
configuration. This is now obviously out of the question unless the
problem I described can be solved.
So this all boils down to:
Do the people involved in DNSSEC want their protocol to be part of the
long term solution of securing boostrapping things? Yes? No?
Right now the answer is no. 9 months shelf life and then DNSSEC fails is
just not usable for things that don't have active human intervention in
its configuration and setup.
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
