> On Nov 16, 2016, at 5:05 AM, George Michaelson <g...@algebras.org> wrote: > > On the current timeline, October 11 -> January 11 so three months. > > Vendors of sealed units who ship equipment from before October 11 with > delivery held up for three months at the docks by a strike, or people > who put the sealed unit into a long-delay orbit to Mars to be turned > on by Matt Damon on arrival have a problem here, if they don't have a > backdoor manual override. > > How many vendors do you think are in this space, not shipping a .trx > or other download which installs the new info? > > On Wed, Nov 16, 2016 at 6:56 PM, Mikael Abrahamsson <swm...@swm.pp.se> wrote: >> On Wed, 16 Nov 2016, George Michaelson wrote: >> >>> I feel this is a corner case. My experience with 'mom' whitegoods is that >>> they age out much faster than the 10+ year case. Shops do not hold >>> electronic goods for sale that long, if its old but unboxed, you have taken >>> yourself into a dark alley deliberately. If you genuinely were supporting >>> your mum by buying two, and keeping one offline for 10 years you would have >>> done better buying one, and replacing after 5. >> >> >> Ok, so let me ask an operational question: >> >> The way current root zone key rollovers are thought to be used, what's the >> theoretical shortest worst-case shelf life of a device that relies on DNSSEC >> working for itself to work properly? >> >> So if it's manufactured the day before a new key is publically released, >> when is the key material it has built in no longer viable to have successful >> DNSSEC validation? >
IMHO the device should have two sources of truth for DNSSEC root TA a) DNS via RFC5011 b) Secure Software update from the vendor If both fail then operator should be invoked. There are other options but they all go into what I call “opportunistic learning” and are not documented TALINK was one of them, PGP signed TA from known address is another one, sending lots of queries and learning current root key is another In short if a device has only what it is configured with at factory as source for DNSSEC TA the device is has a good chance of being a brick when it is connected. You are right we should give some guidance to OS and Systems manufactures about how to handle DNSSEC rollovers Olafur _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
