[Dnssec-deployment] RRSIG for arpa expired
Eric Osterweil
eoster at cs.ucla.edu
Sun Jun 6 03:17:13 EDT 2010
On Jun 5, 2010, at 12:53 PM, Paul Wouters wrote:
> On Sat, 5 Jun 2010, Casey Deccio wrote:
>
>> Apparently the RRSIG made by arpa's KSK has expired (about 15hrs ago),
>> bringing down everything (signed and unsigned) below it as well (for
>> those using ISC DLV as a trust anchor):
>
> Is that true? If you have all the in-addr.arpa keys configured as
> trust anchor, won't they will still override the bad parent? Or is
> that only if you also provide NS records overrides in your resolver?
I think it's worth noting that using vantages, your trusted keys file would be automatically updated with all of the signed subdomains. Basically, if arpa started failing validation, but there are signed subdomains, then thier entries in the trusted-keys file would allow subdomains to be validated. This has the nice property of augmenting the delegation hierarchy.
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100606/be19bfcf/attachment.bin
More information about the Dnssec-deployment
mailing list