[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
Date: Sat, 26 Jul 2008 23:22:52 +0200
Cc: namedroppers@ops.ietf.org
In-reply-to: <20080726144111.GA5204@laperouse.bortzmeyer.org>
References: <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl> <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info> <20080725221002.GK29775@commandprompt.com> <OFF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@nominet.org.uk> <20080726144111.GA5204@laperouse.bortzmeyer.org>
User-agent: Thunderbird 2.0.0.14 (X11/20080502)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephane Bortzmeyer wrote:
> On Sat, Jul 26, 2008 at 01:14:08AM +0200,
>  Roy Arends <roy@nominet.org.uk> wrote 
>  a message of 28 lines which said:
> 
>> When a validator has a trust anchor configured for root, it _expects_ 
>> signatures for root. 
> 
> Which means there is no way back? If we sign ".fr", and people start
> to configure the trust anchor for ".fr" in their validating resolvers,
> we can no longer revert to the original, non-signed, system, should
> problems occur?

If you use a mechanism like described in rfc5011, there is a way back.
Section 5 says:

"A trust point that has all of its trust anchors revoked is considered
 deleted and is treated as if the trust point was never configured."

So you have to revoke your KSKs and give resolvers some time to update
their trust anchors.

- - Matthijs




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIi5WsIXqNzxRs6egRAmidAJ42jQ5mnJIqztMYAsAE3hZcyiRYagCfR4W9
nK7o/eebFI1iySR+iNqAlUY=
=mjym
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: David Conrad <drc@virtualized.org>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Brian Dickson <briand@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Jelte Jansen <jelte@NLnetLabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Andrew Sullivan <ajs@commandprompt.com>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: "Roy Arends" <roy@nominet.org.uk>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>

Prev by Date: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by Date: Re: please adopt http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20
Previous by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Index(es):
- Date
- Thread