Re: [DNSOP] Trust History draft
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 05 October 2009 07:03 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE28D3A6874 for <dnsop@core3.amsl.com>; Mon, 5 Oct 2009 00:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.353
X-Spam-Level:
X-Spam-Status: No, score=-1.353 tagged_above=-999 required=5 tests=[AWL=-1.167, BAYES_40=-0.185, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyy-cMHavGgy for <dnsop@core3.amsl.com>; Mon, 5 Oct 2009 00:03:41 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id CD4CD3A67A7 for <dnsop@ietf.org>; Mon, 5 Oct 2009 00:03:40 -0700 (PDT)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n9575BHq015644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Oct 2009 09:05:12 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4AC99AA7.6040504@nlnetlabs.nl>
Date: Mon, 05 Oct 2009 09:05:11 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.1) Gecko/20090814 Fedora/3.0-2.6.b3.fc11 Thunderbird/3.0b3
MIME-Version: 1.0
To: Florian Weimer <fweimer@bfk.de>
References: <4A49FACD.8020400@nlnetlabs.nl> <82tyyez60u.fsf@mid.bfk.de>
In-Reply-To: <82tyyez60u.fsf@mid.bfk.de>
X-Enigmail-Version: 0.96a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Mon, 05 Oct 2009 09:05:12 +0200 (CEST)
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Trust History draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2009 07:03:41 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Florian, On 10/05/2009 08:52 AM, Florian Weimer wrote: > I don't understand this part: > | validator configuration. The validator then fetches old DNSKEY > | RRsets and checks they form a chain to the latest key. > > Doesn't this defeat the purpose of key rollovers? No it doesn't. Key rollovers remain effective completely for computers that are online at the time of rollover. This is as effective as key rollover is today. The draft proposes a way for computers that were offline during the key rollover to get back on track. They way it is done, makes them all get back on track using the most recent keys they had. So that the 'oldest key' is the least old as possible. Thus the key rollover is aimed for, but with the computers being offline, the best you can do, is have them 'roll over' in larger steps. This being the step from 'their most recent keys' to the 'current key when they go online'. Of course, in reality, this turns into a distribution of computers, each with older and older keys and have been offline for longer and longer. There were concerns expressed about limiting that to some maximum, and this has been addressed in a more recent version of the draft. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkrJmqcACgkQkDLqNwOhpPiLTQCeJK7uybil6TjLdv+hyNY4jc+R DWsAoLcZV41JlPpXSGzLxO8K3CFoBqa6 =0pmj -----END PGP SIGNATURE-----
- [DNSOP] Trust History draft W.C.A. Wijngaards
- Re: [DNSOP] Trust History draft Florian Weimer
- Re: [DNSOP] Trust History draft W.C.A. Wijngaards