Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
"George Barwood" <george.barwood@blueyonder.co.uk> Tue, 01 February 2011 16:47 UTC
Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92B003A6C23 for <dnsext@core3.amsl.com>; Tue, 1 Feb 2011 08:47:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.731
X-Spam-Level:
X-Spam-Status: No, score=0.731 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0Ost4TRBG0x for <dnsext@core3.amsl.com>; Tue, 1 Feb 2011 08:47:11 -0800 (PST)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by core3.amsl.com (Postfix) with ESMTP id 5C6B83A6BFF for <dnsext@ietf.org>; Tue, 1 Feb 2011 08:47:11 -0800 (PST)
Received: from [172.23.170.141] (helo=anti-virus02-08) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1PkJQx-00015h-N5; Tue, 01 Feb 2011 16:50:27 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out6.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1PkJQf-0000YX-00; Tue, 01 Feb 2011 16:50:09 +0000
Message-ID: <5AD6E9AC27744EC0BA907125654003F8@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Tony Finch <dot@dotat.at>
References: <4D41D3E2.6060107@cisco.com> <82r5bxl8yo.fsf@mid.bfk.de> <1964C69C6E2043BAA45387ED557C72E2@local> <alpine.LSU.2.00.1102011624120.5244@hermes-1.csi.cam.ac.uk>
Date: Tue, 01 Feb 2011 16:50:49 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 16:47:12 -0000
----- Original Message ----- From: "Tony Finch" <dot@dotat.at> To: "George Barwood" <george.barwood@blueyonder.co.uk> Cc: <dnsext@ietf.org> Sent: Tuesday, February 01, 2011 4:25 PM Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks > On Fri, 28 Jan 2011, George Barwood wrote: >> >> I think it's necessary to roll the key eventually because DNSSEC >> signature dates wrap, (and signatures can therefore be replayed) but >> only after 136 years. > > There are no dates on DNS keys so I don't understand the relevance of this > point. Ok, we are talking about replay attacks. The date fields in RRSIG records wrap around after 136 years, so an attacker can replay responses from 136 years ago and they will be accepted as current, if no KSK rollover has been performed. Thus in DNSSEC, you must roll any KSK at least once every 136 years to remain secure. ( 136 years = 2^32 seconds ) George > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR > ROUGH. RAIN THEN FAIR. GOOD.
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson