![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: .gov DNSSEC operational message
From: bmanning () vacation karoshi com
Date: Wed, 29 Dec 2010 04:25:27 +0000
On Tue, Dec 28, 2010 at 08:07:22PM -0800, Kevin Oberman wrote:
Yes, having a verifiable source of keys OOB might have a small bit of value, but, assuming we get general adoption of RFC 5011, I think it's pretty limited value. Of course, this begs the question, how do we do a better job of verifying the keys received out of band than the root zone does of verifying the keys? Sort of a chicken and egg problem. -- R. Kevin Oberman, Network Engineer
presumes RFC 5011 is viable. fall outside the 30day window and your screwed. :) that said, what folks came up w/ for the root key roll might be a useful template, e.g. the use of TCR's and use an M/N assurance check - in those rare cases where your just foobarr'ed and you can't take your servers into the SCIF to rekey. and/or an alternative to the strict timing constraints in RFC 5011 with a protocol that gives more leyway for a node being offline over a keyroll interval. There -should- be a functional equivalent of OTAR for DNSSEC keys that is not constrained to a tight window... IMHO of course. --bill
Current thread:
- Re: .gov DNSSEC operational message, (continued)
- Re: .gov DNSSEC operational message bmanning (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Florian Weimer (Dec 26)
- Re: .gov DNSSEC operational message jamie rishaw (Dec 27)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message bmanning (Dec 28)