IETF Logo Mail Archive

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Tony Finch <dot@dotat.at> Wed, 15 January 2014 11:30 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 885621AE359 for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2014 03:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Lcyt0ho6oud for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2014 03:30:39 -0800 (PST)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f33]) by ietfa.amsl.com (Postfix) with ESMTP id BC74C1AE34D for <dnsop@ietf.org>; Wed, 15 Jan 2014 03:30:39 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:48102) by ppsw-33.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1W3Ofy-0006Kb-hc (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 15 Jan 2014 11:30:26 +0000
Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1W3Ofy-0005Vk-FJ (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 15 Jan 2014 11:30:26 +0000
Date: Wed, 15 Jan 2014 11:30:26 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Andrew Sullivan <ajs@anvilwalrusden.com>
In-Reply-To: <20140114200849.GA17907@mx1.yitter.info>
Message-ID: <alpine.LSU.2.00.1401151122550.13642@hermes-2.csi.cam.ac.uk>
References: <20140114172240.GO17198@mx1.yitter.info> <C6EFA413-1FFC-4188-B98A-13C747981FBC@hopcount.ca> <20140114200849.GA17907@mx1.yitter.info>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 11:30:42 -0000

Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
>
> It _might_, if the idea were instead that validators used n of m.

N of M validation also solves the other problems Joe mentioned, to do with
key rollover and failure to sign. That is, if a signer drops out (because
it failed to sign the DNSKEY RRset, or because it rolled its key)
validators will continue to work securely, and can update their trust
anchors at leisure.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

v2.23.0 | Report a Bug | By Email