[Bloat] [Cerowrt-devel] DNSSEC key rollover today
Dave Taht
dave.taht at gmail.com
Sun Oct 14 11:55:39 EDT 2018
at least from where I sit, it looks like it went well.
On Thu, Oct 11, 2018 at 11:54 PM Mikael Abrahamsson <swmike at swm.pp.se> wrote:
>
> On Thu, 11 Oct 2018, Dave Taht wrote:
>
> > if any of you are still using cerowrt, and dnssec, it's gonna break
> > unless you update this, or disable dnssec... I do not know if the new
> > key was in openwrt 18.06 either...
> >
> > http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
>
> Just as an operational concern, if you have an old image of something (pre
> mid 2017) that doesn't have the new key, it's not going to be able to
> download the new key using the old key, as of today.
>
> Any old install might have the key update function implemented and might
> have the new key, but as soon as you re-install and the new key is not
> there anymore, it'll stop working.
>
> A DNSSEC validating device needs to have functionality to get the root key
> somehow and keep it updated. Otherwise it's better to just not validate at
> all if one cares about operational availability of the service.
>
> --
> Mikael Abrahamsson email: swmike at swm.pp.se
--
Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
More information about the Bloat
mailing list