Re: [dnsext] DS digest downgrade
Edward Lewis <Ed.Lewis@neustar.biz> Tue, 22 March 2011 12:10 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC31528C113 for <dnsext@core3.amsl.com>; Tue, 22 Mar 2011 05:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.572
X-Spam-Level:
X-Spam-Status: No, score=-102.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j14NOdKBXdbQ for <dnsext@core3.amsl.com>; Tue, 22 Mar 2011 05:10:33 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 914AB28C10A for <dnsext@ietf.org>; Tue, 22 Mar 2011 05:10:31 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2MCBtbs094590; Tue, 22 Mar 2011 08:11:55 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.115] by Work-Laptop-2.local (PGP Universal service); Tue, 22 Mar 2011 08:12:05 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 22 Mar 2011 08:12:05 -0400
Mime-Version: 1.0
Message-Id: <a06240804c9ae415989b3@[10.31.200.119]>
In-Reply-To: <AB3F9CFB9B6948139A2BE01269B399D5@local>
References: <AB3F9CFB9B6948139A2BE01269B399D5@local>
Date: Tue, 22 Mar 2011 08:11:53 -0400
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: Re: [dnsext] DS digest downgrade
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2011 12:10:33 -0000
At 21:25 +0000 3/21/11, George Barwood wrote: >Was this ever discussed? In the 90's, at the dawn of all this we considered downgrade situations. DNSSEC is not there to protect the zone, it exists to protect the cache. The cache is the element tha decides what to trust or not. Local policy and all that. A zone only makes data available to the cache. The more the merrier. Caches should be liberal in what they trust - but also firm in what they don't. If SHA-1 is at risk, never use it, remove it from consideration. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Me to infant son: "Waah! Waah! Is that all you can say? Waah?" Son: "Waah!"
- Re: [dnsext] DS digest downgrade Derek Atkins
- [dnsext] DS digest downgrade George Barwood
- Re: [dnsext] DS digest downgrade Mark Andrews
- Re: [dnsext] DS digest downgrade George Barwood
- Re: [dnsext] DS digest downgrade Francis Dupont
- Re: [dnsext] DS digest downgrade Edward Lewis
- Re: [dnsext] DS digest downgrade Mark Andrews
- Re: [dnsext] DS digest downgrade George Barwood
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Michael Graff
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Andrew Sullivan
- Re: [dnsext] DS digest downgrade Francis Dupont
- Re: [dnsext] DS digest downgrade Joe Abley
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Andrew Sullivan
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Matt McCutchen
- Re: [dnsext] DS digest downgrade Mark Andrews
- Re: [dnsext] DS digest downgrade Matt McCutchen
- Re: [dnsext] DS digest downgrade Mark Andrews