IETF Logo Mail Archive

Re: [dane] DNSSEC for tools.ietf.org

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 28 April 2016 16:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B850C12D9DE for <dane@ietfa.amsl.com>; Thu, 28 Apr 2016 09:15:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rl7DeOo5FhFI for <dane@ietfa.amsl.com>; Thu, 28 Apr 2016 09:15:51 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1275F12DA12 for <dane@ietf.org>; Thu, 28 Apr 2016 09:10:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1825D284AED; Thu, 28 Apr 2016 16:10:01 +0000 (UTC)
Date: Thu, 28 Apr 2016 16:10:01 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160428161000.GI3300@mournblade.imrryr.org>
References: <20160428141920.21A021A4AD@ld9781.wdf.sap.corp> <99FD74A6-3DF4-4048-9078-45CCA7162D4A@rfc1035.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <99FD74A6-3DF4-4048-9078-45CCA7162D4A@rfc1035.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/npvFMvBNNQrBJs5s68xqS1JF7QM>
Subject: Re: [dane] DNSSEC for tools.ietf.org
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 16:15:54 -0000

On Thu, Apr 28, 2016 at 03:40:29PM +0100, Jim Reid wrote:

> > If the IETF can not get DNSSEC right, who should?
> 
> They are getting it right AFAICT.

Yes, basically right, here's the DS-free delegation:

    tools.ietf.org.         NS      gamay.levkowetz.com.
    tools.ietf.org.         NS      zinfandel.levkowetz.com.
    tools.ietf.org.         NS      merlot.levkowetz.com.
    tools.ietf.org.         NSEC    trac.ietf.org. NS RRSIG NSEC
    tools.ietf.org.         RRSIG   NSEC 5 3 1800 20170308083312 20160308073501 40452 ietf.org. <sig>

The thing one might quibble about is the IMHO much too long RRSIG
validity interval.  One year signatures are rather long.  With this
signature in hand, an attacker can deny any signature for tools.ietf.org
until March 2017 even if the zone were signed tomorrow.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email