[Dnssec-deployment] RRSIG for arpa expired
eoster at cs.ucla.edu
Mon Jun 7 12:33:51 EDT 2010
On Jun 7, 2010, at 9:14 AM, Paul Vixie wrote:
> i think that right now dnssec is somewhat new and that we can still safely
> fall back to "no validation" when folks make mistakes. as we learn from those
> mistakes it'll become viable to fall back to "no data" when folks make
> mistakes. early adopters expect pain, but having gethostbyaddr() universally
> fail only because ISC DLV imported the IANA TAR is probably too much pain.
> when the root and ARPA are signed, then the cost of signing with the wrong
> key or letting it expire will be universal failure of gethostbyaddr(). so, we
> need to stop making mistakes with our keys and signatures.
With respect, I really think this is the wrong message here. Which Internet-scale system is devoid of operational mistakes? We need a way to handle mistakes because they are inevitable. This is an opportunity to learn something (as you have mentioned above). Stating that we need to stop making mistakes suggests that we are ignoring lessons that we've long since learned.
I would suggest that this single point of failure (the TLD failure) should lead us to ask what we can do to avoid the fallout that delegations face in these cases.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100607/c5d46a3b/attachment.bin
More information about the Dnssec-deployment