Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt

[David Conrad <drc at virtualized.org>]

Mark,

On Aug 29, 2007, at 4:23 PM, Mark Andrews wrote:
> > If the root gets signed and you remove the DLV stuff, won't you break
> > any caching resolver that still has the DLV trust anchor configured?
> 	No.  Please re-read the quoted paragraph.  The root's DLV
> 	will be there.

Please re-read my question.

> 	You only need DLV records where there is a missing link in the
> 	trust chain.  If you have "." you don't need a DLV for "se" as
> 	there will be a DS for "se" in the root zone.

Perhaps surprisingly, I understand this.

My question, somewhat expanded, is:

If you configure a trust anchor for "the" DLV registry and at some  
point in time in the future, that DLV registry ceases to function  
_and you have not changed the trust anchor configuration_, won't  
validation fail?

The point of this question:

If you start mucking about with production services that require  
configuration on the part of system administrators (particularly in  
the somewhat arcane world of DNSSEC trust anchors), it can become  
quite difficult to stop that production service without breaking  
stuff.  Is this a place we want to go for a temporary hack?

Thanks,
-drc


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf