[Dnssec-deployment] RRSIG for arpa expired

Paul Vixie vixie at isc.org
Mon Jun 7 12:14:17 EDT 2010

i think that right now dnssec is somewhat new and that we can still safely
fall back to "no validation" when folks make mistakes. as we learn from those
mistakes it'll become viable to fall back to "no data" when folks make 
mistakes. early adopters expect pain, but having gethostbyaddr() universally
fail only because ISC DLV imported the IANA TAR is probably too much pain.

when the root and ARPA are signed, then the cost of signing with the wrong
key or letting it expire will be universal failure of gethostbyaddr(). so, we
need to stop making mistakes with our keys and signatures. BIND 9.7 has gone
a long way toward automating dnssec, and i know that secure64 is also working
in this functional area. much more work must be done before we go universal.

More information about the Dnssec-deployment mailing list