Re: NGtrans - DNSext joint meeting, call for participation
Mark.Andrews@nominum.com Sun, 29 July 2001 05:52 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id BAA13898 for <dnsext-archive@lists.ietf.org>; Sun, 29 Jul 2001 01:52:23 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15QX4C-000E4o-00 for namedroppers-data@psg.com; Sat, 28 Jul 2001 09:35:52 -0700
Received: from rip.psg.com ([147.28.0.39] ident=exim) by psg.com with esmtp (Exim 3.31 #1) id 15QX4B-000E4i-00 for namedroppers@ops.ietf.org; Sat, 28 Jul 2001 09:35:51 -0700
Received: from randy by rip.psg.com with local (Exim 3.31 #1) id 15QX4B-000PB0-00 for namedroppers@ops.ietf.org; Sat, 28 Jul 2001 09:35:51 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Mark.Andrews@nominum.com
To: "D. J. Bernstein" <djb@cr.yp.to>
Cc: ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
Subject: Re: NGtrans - DNSext joint meeting, call for participation
In-reply-to: Your message of "28 Jul 2001 06:08:23 GMT." <20010728060823.20080.qmail@cr.yp.to>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15QX4C-000E4o-00@psg.com>
Date: Sat, 28 Jul 2001 09:35:52 -0700
Content-Transfer-Encoding: 7bit
> Mark.Andrews@nominum.com writes: > > there is no requirement to re-sign every record to achieve > > your 1 day expiry. Just change the zone key whenever you change > > zone data and have a 1 day expiry on the zone key's signature. > > No. If you maintain the validity of signatures on old records, you're > allowing the attack to succeed. If you don't maintain the validity of > those signatures, you have to immediately sign those records again. > > Please withdraw your claim. Dan, your claim is that you have to re-sign every record in a zone daily to achieve a 1 day replay window. I'm stating that you can achieve the same protection without re-signing every record daily. Pre change: example.com KEY alpha example.com SIG KEY expire=200107292257 (1 day) host.example.com A 1.2.3.4 host.example.com SIG A expire=200108272257 (30 days) Post change: example.com KEY beta example.com SIG KEY expire=200107072258 (1 day) host.example.com A 1.2.3.5 host.example.com SIG A expire=200108272258 (30 days) Please explain how you can verify host.example.com A 1.2.3.4 host.example.com SIG A expire=200108272257 after 200107292257. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: NGtrans - DNSext joint meeting, call for part… Mark.Andrews
- Re: NGtrans - DNSext joint meeting, call for part… itojun
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda Andreas Gustafsson
- Re: NGtrans - DNSext joint meeting, call for part… David Terrell
- Re: Joint DNSEXT & NGTRANS agenda itojun
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda bert hubert
- Re: NGtrans - DNSext joint meeting, call for part… Matt Crawford
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: NGtrans - DNSext joint meeting, call for part… Mark.Andrews
- (ngtrans) Re: NGtrans - DNSext joint meeting, cal… Robert Elz
- Re: NGtrans - DNSext joint meeting, call for part… Matt Crawford
- Re: NGtrans - DNSext joint meeting, call for part… Mark.Andrews
- RE: Joint DNSEXT & NGTRANS agenda Tony Hain
- Re: Joint DNSEXT & NGTRANS agenda Greg Hudson
- Re: Joint DNSEXT & NGTRANS agenda itojun
- Re: NGtrans - DNSext joint meeting, call for part… D. J. Bernstein
- Re: NGtrans - DNSext joint meeting, call for part… Matt Crawford
- (ngtrans) Re: NGtrans - DNSext joint meeting, cal… Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: NGtrans - DNSext joint meeting, call for part… Mark.Andrews
- RE: NGtrans - DNSext joint meeting, call for part… Christian Huitema
- Re: NGtrans - DNSext joint meeting, call for part… D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Masataka Ohta
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda itojun
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Masataka Ohta
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- Re: NGtrans - DNSext joint meeting, call for part… Matt Crawford
- RE: Joint DNSEXT & NGTRANS agenda David R. Conrad
- Re: NGtrans - DNSext joint meeting, call for part… D. J. Bernstein
- Re: NGtrans - DNSext joint meeting, call for part… Mark.Andrews
- Re: NGtrans - DNSext joint meeting, call for part… D. J. Bernstein
- Re: NGtrans - DNSext joint meeting, call for part… D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Greg Hudson
- Re: Joint DNSEXT & NGTRANS agenda Masataka Ohta
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- (ngtrans) Re: NGtrans - DNSext joint meeting, cal… Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: (ngtrans) Re: NGtrans - DNSext joint meeting,… D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Matt Crawford
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein
- Re: Joint DNSEXT & NGTRANS agenda Robert Elz
- Re: NGtrans - DNSext joint meeting, call for part… Robert Elz
- Re: Joint DNSEXT & NGTRANS agenda Andreas Gustafsson
- Re: Joint DNSEXT & NGTRANS agenda D. J. Bernstein