[DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-10.txt
internet-drafts@ietf.org Tue, 19 December 2017 18:49 UTC
Return-Path: <internet-drafts@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 406E81272E1; Tue, 19 Dec 2017 10:49:57 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Cc: dnsop@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.68.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151370939722.7367.18068254315788230511@ietfa.amsl.com>
Date: Tue, 19 Dec 2017 10:49:57 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4bELldThHqpbqdKgR2WoDCIqx20>
Subject: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-10.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 18:49:57 -0000
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Security Considerations for RFC5011 Publishers Authors : Wes Hardaker Warren Kumari Filename : draft-ietf-dnsop-rfc5011-security-considerations-10.txt Pages : 19 Date : 2017-12-19 Abstract: This document extends the RFC5011 rollover strategy with timing advice that must be followed by the publisher in order to maintain security. Specifically, this document describes the math behind the minimum time-length that a DNS zone publisher must wait before signing exclusively with recently added DNSKEYs. This document also describes the minimum time-length that a DNS zone publisher must wait after publishing a revoked DNSKEY before assuming that all active RFC5011 resolvers should have seen the revocation-marked key and removed it from their list of trust anchors. This document contains much math and complicated equations, but the summary is that the key rollover / revocation time is much longer than intuition would suggest. If you are not both publishing a DNSSEC DNSKEY, and using RFC5011 to advertise this DNSKEY as a new Secure Entry Point key for use as a trust anchor, you probably don't need to read this document. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011-security-considerations/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011-security-considerations-10 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security-considerations-10 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011-security-considerations-10 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/
- [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-secu… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns