[Unbound-users] On stale keys and Unbound behavior

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Fri Feb 12 14:30:37 UTC 2010

On Fri, Feb 12, 2010 at 02:28:41PM +0100, Olaf Kolkman wrote:
> In the particular case described in the columnm, RFC5011 methodology might not have worked; an old OS distribution carrying a stale key that is several generations old cannot be tracked using RFC5011 techniques. Wijngaards and Kolkman have been working on a proposal to fix that particular issue: "DNSSEC Trust Anchor History Service" (http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history).

	glad to see that work going forward.  Manning and Yamaguchi are working on
	a similar set of techniques to deal with the unscheduled key rollover issue
	based in part on an expired draft that was an alternative to what became RFC 5011.

	i suspect that work is complimentary to either RFC 5011 or the -history draft.


> -- Olaf Kolkman
>    NLnet Labs

More information about the Unbound-users mailing list