From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id BFF193B2A4; Sun, 14 Oct 2018 11:55:53 -0400 (EDT) Received: by mail-qt1-x842.google.com with SMTP id e22-v6so18933119qto.6; Sun, 14 Oct 2018 08:55:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ncgc3E8IQp8r+JfkgaNO0gX4fgndfsoLFAsDszBP0NQ=; b=RQpEG9Y/znIcDlRvbBgPmFyPRQhvCQ4n6kN0nSm/FLv3eBoruWlGbzs15tayxe5sYd Ay/KpKlf8Ytqq/nAIVzN3SxDH8yE+OA+Ycwr+jQCqqpivGVUDG/V7WLHx0PeO5fJxAMC 5bsh5zYJHIm7SvY8pZ0co5NCZjN5rHd9qWPRthdaek4tg2+oN/WmHY1kqczaPAQkXKuN Lzav4ufO61bq6smRo2tyEOcGqaJGTxvqdw06Bw9MosEiaFq2aZinmDnq+d8Xx6hyh1Pb E0tGIPNPOxA1aB6vssZ2GNOS6G1OvukJoi48NXBe1DsVYJY7SQ78CobXpEJNVbiOmSHt C6+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ncgc3E8IQp8r+JfkgaNO0gX4fgndfsoLFAsDszBP0NQ=; b=oPoBolhrKsYbuONJFdUjCZGEiqFcCEjec12CnB+Y5rVmFI966GpKUGcFAVe3vgsp9V QJSV9u/wnhv2dndnT/s3oJP7/sRpfoWEmxrD4LRdvVN6vMPQ5ECa4dmx/8q82wSRrbGz Ji8cZolYvEw6kTYyefMJrGUkpxklfcfZnhN+Nqa+DeV6BpHfThQ4/Xt9DTVnTbex5lBw 59LDF9yqgEhQ+Nbzv58f7W7sDpoxqYpLCsw9KuDRKdccwtNaYA0T6OuJEAktZ5LB3sh6 YbrarC+X3ps4PcRVLzT5Oq6boXTDNn6BjEdP53U5Gf3abLyqGUtVCDTMWGVGi0ZkMur7 Nt2g== X-Gm-Message-State: ABuFfoi5QFns2u/l1xNKMHOFBw2rSrrVDA0/s5ciYgqMTtj0y8Pz1oqm Y1vVDxSKFQKq7/W/slPX+d43o8I0yCgUT8n3l+lxZ589 X-Google-Smtp-Source: ACcGV62mya+vEDk1I5oCrQpBpARrgkm28IONY1Pv2w2yPHAcaZLAFOqwsuPKSNXMv1VCJXryU5WFFgtvOM4VzbOaF60= X-Received: by 2002:a0c:9609:: with SMTP id 9mr13828980qvx.129.1539532553259; Sun, 14 Oct 2018 08:55:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Taht Date: Sun, 14 Oct 2018 08:55:39 -0700 Message-ID: To: Mikael Abrahamsson Cc: cerowrt-devel@lists.bufferbloat.net, bloat Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] DNSSEC key rollover today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Oct 2018 15:55:53 -0000 at least from where I sit, it looks like it went well. On Thu, Oct 11, 2018 at 11:54 PM Mikael Abrahamsson wrot= e: > > On Thu, 11 Oct 2018, Dave Taht wrote: > > > if any of you are still using cerowrt, and dnssec, it's gonna break > > unless you update this, or disable dnssec... I do not know if the new > > key was in openwrt 18.06 either... > > > > http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_k= sk_rollover_on_october_11_2018/ > > Just as an operational concern, if you have an old image of something (pr= e > mid 2017) that doesn't have the new key, it's not going to be able to > download the new key using the old key, as of today. > > Any old install might have the key update function implemented and might > have the new key, but as soon as you re-install and the new key is not > there anymore, it'll stop working. > > A DNSSEC validating device needs to have functionality to get the root ke= y > somehow and keep it updated. Otherwise it's better to just not validate a= t > all if one cares about operational availability of the service. > > -- > Mikael Abrahamsson email: swmike@swm.pp.se --=20 Dave T=C3=A4ht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740