Re: US government mandates? use of DNSSEC by federal agencies

• From: Leo Bicknell
• Date: Wed Aug 27 13:24:20 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad wrote:
> Note that if you do turn on DNSSEC, you're going to have to make sure  
> the trust anchors you configure get updated.  Trust anchors have a  
> validity period and if they're not updated before they expire  
> validation will fail (which will appear to users of the resolver  
> pretty much like a DNS failure for all the names in the signed zone).   
> "Be careful out there."

While signing the root is the best solution, an alternate solution
until that happens is DLV, as documented in RFC 4431.  You can run
your own setup, or trust someone to do it for you.  Note that ISC
runs a DLV registry, if you wanted to trust them:
https://secure.isc.org/index.pl?/ops/dlv/

-- 
       Leo Bicknell - [email protected] - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: pgp00024.pgp
Description: PGP signature

• References:
  • Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman
  • Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas
  • Re: US government mandates? use of DNSSEC by federal agencies Jared Mauch
  • Re: US government mandates? use of DNSSEC by federal agencies David Conrad

• Prev by Date: Re: interger to I P address
• Next by Date: Re: US government mandates? use of DNSSEC by federal agencies
• Date Index
• Thread Index
• Author Index
• Historical