From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <swmike@swm.pp.se>
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 689823BA8E;
 Fri, 12 Oct 2018 02:54:48 -0400 (EDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501)
 id CF680B3; Fri, 12 Oct 2018 08:54:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail;
 t=1539327286; bh=J6KuEstNvvBmADmFxkiaYRRPOxm7A1f7+XELpjzW6y4=;
 h=Date:From:To:cc:Subject:In-Reply-To:References:From;
 b=iDGW36EFdtxAyINCludbl36xfljLk5S5+Ol7fpCM09NDaBYMiIu1Un8f8LQ0RGn72
 y1iq2EkqGs8RChfyDCpZ3hbP1LyMMMvgpvLQBbBq2dhnVWlM16W/QWfUQuJe3n7kfz
 1HiUsXrfyJlHTGz/g5YzQimZAqNJVll2a9AjDRDo=
Received: from localhost (localhost [127.0.0.1])
 by uplift.swm.pp.se (Postfix) with ESMTP id CB965B1;
 Fri, 12 Oct 2018 08:54:46 +0200 (CEST)
Date: Fri, 12 Oct 2018 08:54:46 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Dave Taht <dave.taht@gmail.com>
cc: cerowrt-devel@lists.bufferbloat.net, bloat <bloat@lists.bufferbloat.net>
In-Reply-To: <CAA93jw7a4CCv3KLtxVkDNpmpjTQ5FGSewM0O5SGtMFm9c2xmMQ@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.1810120851330.17344@uplift.swm.pp.se>
References: <CAA93jw7a4CCv3KLtxVkDNpmpjTQ5FGSewM0O5SGtMFm9c2xmMQ@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Subject: Re: [Bloat] [Cerowrt-devel] DNSSEC key rollover today
X-BeenThere: bloat@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: General list for discussing Bufferbloat <bloat.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/bloat>,
 <mailto:bloat-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/bloat>
List-Post: <mailto:bloat@lists.bufferbloat.net>
List-Help: <mailto:bloat-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/bloat>,
 <mailto:bloat-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 06:54:48 -0000

On Thu, 11 Oct 2018, Dave Taht wrote:

> if any of you are still using cerowrt, and dnssec, it's gonna break
> unless you update this, or disable dnssec... I do not know if the new
> key was in openwrt 18.06 either...
>
> http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/

Just as an operational concern, if you have an old image of something (pre 
mid 2017) that doesn't have the new key, it's not going to be able to 
download the new key using the old key, as of today.

Any old install might have the key update function implemented and might 
have the new key, but as soon as you re-install and the new key is not 
there anymore, it'll stop working.

A DNSSEC validating device needs to have functionality to get the root key 
somehow and keep it updated. Otherwise it's better to just not validate at 
all if one cares about operational availability of the service.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se