North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: US government mandates? use of DNSSEC by federal agencies

  • From: Leo Bicknell
  • Date: Wed Aug 27 13:24:20 2008

In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad wrote:
> Note that if you do turn on DNSSEC, you're going to have to make sure  
> the trust anchors you configure get updated.  Trust anchors have a  
> validity period and if they're not updated before they expire  
> validation will fail (which will appear to users of the resolver  
> pretty much like a DNS failure for all the names in the signed zone).   
> "Be careful out there."

While signing the root is the best solution, an alternate solution
until that happens is DLV, as documented in RFC 4431.  You can run
your own setup, or trust someone to do it for you.  Note that ISC
runs a DLV registry, if you wanted to trust them:
https://secure.isc.org/index.pl?/ops/dlv/

-- 
       Leo Bicknell - bicknell@xxxxxxx - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: pgp00024.pgp
Description: PGP signature