--- Begin Message ---
Viktor Dukhovni wrote:-
>I do hope that, as a community, we'll continue to steadily streamline
>acceptable NSEC3 parameters (per RFC9276) down to 0 additional
>iterations and short enough salt values (that don't result in additional
>SHA-1 input blocks).
What would be the la
--- Begin Message ---
Randy Bush wrote:-
>it occurred to me that it migh tme wise to have a rancid like
>(https://shrubbery.net/rancid/) equivalent for critical domains.
>i.e. to git record changes and warn of radical diffs.
>
>is there any foss tooling in this space?
For the recording, I do som
--- Begin Message ---
Our systems use some RIPE Atlas anchors for general connectivity
monitoring. Just now, they all failed.
If looks as if DNSSEC has expired:-
https://dnsviz.net/d/anchors.atlas.ripe.net/dnssec/
It also looks as if other things in ripe.net may also have expired (eg
www.ripe.n
--- Begin Message ---
Dave Knight wrote:-
>> all you can validate is the NS set. The host records cannot be validated
>> because root-servers.net is not signed.
>
>Good point!
>
>They're still used to replace what was provided in the root.hints after the
>priming response is received though.
Wi
