On 8/29/2024 9:14 PM, Warren Kumari wrote:
Yes, I might *personally* decide to use the IANA TA after the validUntil if they haven't published a new one. If I did, that would be entirely my own (bad) decision, and I'm clearly doing something unsupported… just like if I happen to eat a can of beans past their expiration date…

*bleah*  What an awful analogy.   Not even close.

If there are NO OTHER TRUST ANCHORS and you decide to automatically stop trusting the ONLY EXISTING TRUST ANCHOR because IANA didn't manage to keep to its schedule to add a new trust anchor (which has happened more often than not).... you deserve exactly what you're going to get.  The ENTIRE DNS tree falling off of your visibility because you can't validate anything because you treated the "we plan to stop on this day" as "this is invalid whether or not we actually do something".

Trust anchors mostly don't have an expiration date for just this reason. DNSSEC could have specified one, but it didn't.  Having IANA ignore the DNSSEC spec and tell people to trust  that a TA has an expiration date is what's unsupported.

What's also unsupported is automatically deleting the TA based on this file, rather than deleting a TA once its been revoked.

Be careful in how you use "unsupported" - I would doubt you'd be able to support the assertion from the other DNSSEC documents.

Later, Mike



_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to