On 8/29/2024 9:14 PM, Warren Kumari wrote:
Yes, I might *personally* decide to use the IANA TA after the
validUntil if they haven't published a new one. If I did, that would
be entirely my own (bad) decision, and I'm clearly doing something
unsupported… just like if I happen to eat a can of beans past their
expiration date…
*bleah* What an awful analogy. Not even close.
If there are NO OTHER TRUST ANCHORS and you decide to automatically stop
trusting the ONLY EXISTING TRUST ANCHOR because IANA didn't manage to
keep to its schedule to add a new trust anchor (which has happened more
often than not).... you deserve exactly what you're going to get. The
ENTIRE DNS tree falling off of your visibility because you can't
validate anything because you treated the "we plan to stop on this day"
as "this is invalid whether or not we actually do something".
Trust anchors mostly don't have an expiration date for just this reason.
DNSSEC could have specified one, but it didn't. Having IANA ignore the
DNSSEC spec and tell people to trust that a TA has an expiration date
is what's unsupported.
What's also unsupported is automatically deleting the TA based on this
file, rather than deleting a TA once its been revoked.
Be careful in how you use "unsupported" - I would doubt you'd be able to
support the assertion from the other DNSSEC documents.
Later, Mike
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
