IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

"George Barwood" <george.barwood@blueyonder.co.uk> Fri, 28 January 2011 09:46 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FE7F3A6C08 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 01:46:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.696
X-Spam-Level:
X-Spam-Status: No, score=0.696 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xm0fOYqJTtob for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 01:46:52 -0800 (PST)
Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by core3.amsl.com (Postfix) with ESMTP id CC3D93A6965 for <dnsext@ietf.org>; Fri, 28 Jan 2011 01:46:51 -0800 (PST)
Received: from [172.23.170.147] (helo=anti-virus03-10) by smtp-out4.blueyonder.co.uk with smtp (Exim 4.52) id 1Pikxn-0001Nj-Of; Fri, 28 Jan 2011 09:49:55 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out5.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1PikxQ-0007Z3-RH; Fri, 28 Jan 2011 09:49:32 +0000
Message-ID: <1964C69C6E2043BAA45387ED557C72E2@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: John Bashinski <jbash@cisco.com>, Florian Weimer <fweimer@bfk.de>
References: <4D41D3E2.6060107@cisco.com> <82r5bxl8yo.fsf@mid.bfk.de>
Date: Fri, 28 Jan 2011 09:49:54 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 09:46:52 -0000

----- Original Message ----- 
From: "Florian Weimer" <fweimer@bfk.de>

> Would it help you if there weren't any vanity key rollovers at all?

I think it's necessary to roll the key eventually because DNSSEC signature dates wrap,
(and signatures can therefore be replayed) but only after 136 years.

My feeling is that the roll process should be very slow.

e.g. the DS record for a new key is published say 60 years in advance,
with a new key being generated say every 20 years.

That allows a long (60 year) life for equipment that has a DS record for the root embedded.

George

v2.23.0 | Report a Bug | By Email