North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: US government mandates? use of DNSSEC by federal agencies
Jeroen Massar wrote:
Steven M. Bellovin wrote:On Wed, 27 Aug 2008 09:53:26 -0700 "Kevin Oberman" <oberman@xxxxxx> wrote:
Heh, maybe you could manage root key update like any other security alert/update on your host OS... Of course embedded frobs that don't auto-update like, oh say, your favorite router could be problematic. And I'd assume that those key parts of the infrastructure are probably not too keen on trusting their upstream resolver to do the checking for them.
In any case, the point of my first question was really about the concern of false positives. Do we really have any idea what will happen if you hard fail dnssec failures? If I were running a large site, I'd want to monitor the failures for a while. If nothing else, dnssec is a complicated beast and bakeoffs can only flush so many bugs out.