[DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-13.txt

internet-drafts@ietf.org Mon, 16 July 2018 12:49 UTC

Return-Path: <internet-drafts@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2C5129385; Mon, 16 Jul 2018 05:49:53 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: dnsop@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.82.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: dnsop@ietf.org
Message-ID: <153174539326.23149.7392295208412679544@ietfa.amsl.com>
Date: Mon, 16 Jul 2018 05:49:53 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3kTe_JhP33G5mK-ZSNps2xIfucs>
Subject: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-13.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 12:49:54 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.

        Title           : Security Considerations for RFC5011 Publishers
        Authors         : Wes Hardaker
                          Warren Kumari
	Filename        : draft-ietf-dnsop-rfc5011-security-considerations-13.txt
	Pages           : 20
	Date            : 2018-07-16

   This document extends the RFC5011 rollover strategy with timing
   advice that must be followed by the publisher in order to maintain
   security.  Specifically, this document describes the math behind the
   minimum time-length that a DNS zone publisher must wait before
   signing exclusively with recently added DNSKEYs.  This document also
   describes the minimum time-length that a DNS zone publisher must wait
   after publishing a revoked DNSKEY before assuming that all active
   RFC5011 resolvers should have seen the revocation-marked key and
   removed it from their list of trust anchors.

   This document contains much math and complicated equations, but the
   summary is that the key rollover / revocation time is much longer
   than intuition would suggest.  This document updates RFC7583 by
   adding an additional delays (sigExpirationTime and

   If you are not both publishing a DNSSEC DNSKEY, and using RFC5011 to
   advertise this DNSKEY as a new Secure Entry Point key for use as a
   trust anchor, you probably don't need to read this document.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at: