[dns-operations] Unplanned DLV zone outage on 2009-Apr-06
Eric Osterweil
eoster at CS.UCLA.EDU
Wed Apr 15 03:06:59 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Apr 14, 2009, at 7:31 PM, Mark Andrews wrote:
>
> In message <F095B7FC-F8BF-4E89-847A-B77EA42E3C8C at CS.UCLA.EDU>, Eric
> Osterweil writes:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On Apr 14, 2009, at 4:16 PM, Jeremy C. Reed wrote:
>>
>>> On Tue, 14 Apr 2009, Eric Osterweil wrote:
>>>
>>> What happens if the unknowing zone decided to become unsigned but
>>> the DLV
>>> still indicates that it should be signed? (Due to no relationship
>>> and
>>> communication with the DLV.)
>>
>> We only serve keys that were seen during the last poll and that have
>> valid RRSIGs (i.e. if they've expired we don't list them). If a zone
>> signs for (say) a month, and then removes its signed material the
>> next
>> day, that's already a bit of a faux pas.
>
> Garbage.
<snip>
Ignoring flame.
>
> When I publish trusted keys then I need to consider other people.
> Until I publish trusted keys I don't need to consider other people.
>
> I can publish trusted keys in multiple manners.
> * provide DS/DNSKEY to parent, key changes are now constained by
> parent/child
> relationship and associated TTLs.
Unsigned parent?
>
> * provide DS/DNSKEY to DLV, key changes are now constained by DLV/
> zone
> relationship and associated TTLs.
Which DLV? Does everyone have to agree to use only 1?
>
> * publish the DNSKEYs via HTTP and provide the roll over mechanism
> details.
How does any given resolver learn of your zone's web page?
>
> * publish the DNSKEYs in the newspaper and provide the roll over
> mechanism
> details.
ibid.
>
> * publish the DNSKEYs via a TAR, key changes are now constained by
> the TAR's
> refresh policies.
I'll refrain from discussing things that don't exist yet.
Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iEYEARECAAYFAknlT1MACgkQK/tq6CJjZQJddQCeMfWJ8RzADUWqoh1ZXrYiZnn9
4vEAoJJ9+me4FOVpDfY/l68mO3nrT/I1
=MgfF
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list