Re: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)

Tony Finch <dot@dotat.at> Fri, 21 July 2017 11:36 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95A113157A for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 04:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEBoVPUfRkPB for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 04:36:37 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D263A12ECB7 for <dnsop@ietf.org>; Fri, 21 Jul 2017 04:36:36 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:35204) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1dYWEU-000ez5-dI (Exim 4.89) (return-path <dot@dotat.at>); Fri, 21 Jul 2017 12:36:34 +0100
Date: Fri, 21 Jul 2017 12:36:33 +0100
From: Tony Finch <dot@dotat.at>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
cc: dnsop@ietf.org
In-Reply-To: <20170720150809.qv6nbwsite7icu45@mx4.yitter.info>
Message-ID: <alpine.DEB.2.11.1707211229310.4413@grey.csi.cam.ac.uk>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <20170720150809.qv6nbwsite7icu45@mx4.yitter.info>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D_XjGok4JQfLG0JpbHUcQm72fZI>
Subject: Re: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 11:36:38 -0000

Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
>
> For instance, people also express astonishment that DNSKEYs don't
> expire.  Everyone always has to be reminded that signatures expire, and
> if you want to expire keys you take them out of the zone.

I agree with your message.

It might be useful to explain this DNSKEY oddity by comparison with x.509
certificates. In particular, it's the cert that expires, not the key, and
when you renew a cert you can re-use the same key.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Portland, Plymouth, North Biscay: Southerly or southwesterly 6 to gale 8
veering westerly or southwesterly 4 or 5, occasionally 6 later. Moderate or
rough. Rain or showers. Good, occasionally poor.