> On Apr 26, 2018, at 11:41 AM, Richard Barnes <r...@ipv.sx> wrote: > > Until my DNSSEC signing infra breaks, the signatures expire, and now my > server is bricked.
If that happens, you're bricked anyway, the 1.1.1.1, 8.8.8.8, 9.9.9.9, 64.6.64.6, ... resolvers all validate and are used by a broad and rapidly growing set of users. Sites that consider DNSSEC too risky, won't deploy DNSSEC and then of course won't deploy this extension. That said, the explicit lifetime field also in part addresses your concerns about recovery from operational errors. Set it to zero or a small number (of hours, units deliberately left out of proposed changes to this draft to make sure non-zero values are unspecified). Of course given evermore sophisticated BGP attacks: https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/ you might actually want to consider DNSSEC, implement it properly and monitor, and the bricking won't happen. -- -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
