On 21 Sep 2018, at 11:34, Ray Bellis wrote:
On 21/09/2018 16:12, Marc Blanchet wrote:
right but: - people are lazy: until there are real events (KSK rollover), they will not care or prepare. Therefore, we must have rollover enough frequent so people do act. - there are mechanisms to help/automate rollover, such as RFC5011, which shall fit with most use cases. - for the use cases/reasons people not use RFC5011, then it is like any manual configuration management: you take the responsability to put whatever process in your org to handle that case, since you are aware that you are taking the manual route.
What about the (hypothetical?) home CPE with a validating resolver that's been left on the shelf for a couple of years.
RFC 5011 doesn't help those. AFAIK, re-bootstrapping trust for those is still an unsolved problem.
agreed. that one unresolved yet. (I was writing in the context of ISP resolvers which I understood was the underlying discussion context. ) Marc.
Ray
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover