nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: US government mandates? use of DNSSEC by federal agencies

From: Leo Bicknell <bicknell () ufp org>
Date: Wed, 27 Aug 2008 17:24:05 +0000
In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad wrote:

Note that if you do turn on DNSSEC, you're going to have to make sure  
the trust anchors you configure get updated.  Trust anchors have a  
validity period and if they're not updated before they expire  
validation will fail (which will appear to users of the resolver  
pretty much like a DNS failure for all the names in the signed zone).   
"Be careful out there."


While signing the root is the best solution, an alternate solution
until that happens is DLV, as documented in RFC 4431.  You can run
your own setup, or trust someone to do it for you.  Note that ISC
runs a DLV registry, if you wanted to trust them:
https://secure.isc.org/index.pl?/ops/dlv/

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: