Re: [dane] DNSSEC for tools.ietf.org
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 28 April 2016 16:15 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B850C12D9DE for <dane@ietfa.amsl.com>; Thu, 28 Apr 2016 09:15:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rl7DeOo5FhFI for <dane@ietfa.amsl.com>; Thu, 28 Apr 2016 09:15:51 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1275F12DA12 for <dane@ietf.org>; Thu, 28 Apr 2016 09:10:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1825D284AED; Thu, 28 Apr 2016 16:10:01 +0000 (UTC)
Date: Thu, 28 Apr 2016 16:10:01 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160428161000.GI3300@mournblade.imrryr.org>
References: <20160428141920.21A021A4AD@ld9781.wdf.sap.corp> <99FD74A6-3DF4-4048-9078-45CCA7162D4A@rfc1035.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <99FD74A6-3DF4-4048-9078-45CCA7162D4A@rfc1035.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/npvFMvBNNQrBJs5s68xqS1JF7QM>
Subject: Re: [dane] DNSSEC for tools.ietf.org
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 16:15:54 -0000
On Thu, Apr 28, 2016 at 03:40:29PM +0100, Jim Reid wrote: > > If the IETF can not get DNSSEC right, who should? > > They are getting it right AFAICT. Yes, basically right, here's the DS-free delegation: tools.ietf.org. NS gamay.levkowetz.com. tools.ietf.org. NS zinfandel.levkowetz.com. tools.ietf.org. NS merlot.levkowetz.com. tools.ietf.org. NSEC trac.ietf.org. NS RRSIG NSEC tools.ietf.org. RRSIG NSEC 5 3 1800 20170308083312 20160308073501 40452 ietf.org. <sig> The thing one might quibble about is the IMHO much too long RRSIG validity interval. One year signatures are rather long. With this signature in hand, an attacker can deny any signature for tools.ietf.org until March 2017 even if the zone were signed tomorrow. -- Viktor.
- [dane] NEWSFLASH: DANE TLSA records published for… Viktor Dukhovni
- Re: [dane] NEWSFLASH: DANE TLSA records published… Michael Kliewe
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… lst_hoe02
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Gumprich, Mario
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Martin Rex
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- [dane] DNSSEC for tools.ietf.org Jim Reid
- Re: [dane] DNSSEC for tools.ietf.org Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Peter van Dijk
- Re: [dane] DNSSEC for tools.ietf.org Paul Wouters
- Re: [dane] DNSSEC for tools.ietf.org Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… A. Schulze