[ksk-rollover] (Un)planning future KSK replacements
Pieter Lexis
pieter.lexis at powerdns.com
Thu Mar 28 11:11:14 UTC 2019
Hi,
On 3/28/19 11:01 AM, Michael StJohns wrote:
>
> I mostly agree with this, and would totally agree if we were completely
> 5011 based, but that's not the case. I think there needs to be an
> "interested parties" announcement even if this isn't announced widely.
> E.g. ISPs that do manual configuration on roll-their-own DNS resolvers etc.
Correct. PowerDNS Recursor also does not do (and probably will never do)
5011. We ship the KSK TA's in the binary but are attempting to make the
OS vendors (Debian, RedHat etc.) "responsible"
for providing this data as they already do for the root server hints.
Many (almost most) software users have a trust-relationship with their
OS vendor to provide them with up-to-date data required for continued
operation. Even if one does not _pay_ for this relationship, it simply
exists by the choice made by the operator to run this software stack.
There are non-5011 ways to get the anchors (e.g. time fetches of the
XML). But a list for announcements to interested parties, without the
publication fanfare makes sense to not spring this on people.
Best regards,
Pieter
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the ksk-rollover
mailing list