Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
Tony Finch <dot@dotat.at> Wed, 15 January 2014 11:30 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 885621AE359 for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2014 03:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Lcyt0ho6oud for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2014 03:30:39 -0800 (PST)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f33]) by ietfa.amsl.com (Postfix) with ESMTP id BC74C1AE34D for <dnsop@ietf.org>; Wed, 15 Jan 2014 03:30:39 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:48102) by ppsw-33.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1W3Ofy-0006Kb-hc (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 15 Jan 2014 11:30:26 +0000
Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1W3Ofy-0005Vk-FJ (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 15 Jan 2014 11:30:26 +0000
Date: Wed, 15 Jan 2014 11:30:26 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Andrew Sullivan <ajs@anvilwalrusden.com>
In-Reply-To: <20140114200849.GA17907@mx1.yitter.info>
Message-ID: <alpine.LSU.2.00.1401151122550.13642@hermes-2.csi.cam.ac.uk>
References: <20140114172240.GO17198@mx1.yitter.info> <C6EFA413-1FFC-4188-B98A-13C747981FBC@hopcount.ca> <20140114200849.GA17907@mx1.yitter.info>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 11:30:42 -0000
Andrew Sullivan <ajs@anvilwalrusden.com> wrote: > > It _might_, if the idea were instead that validators used n of m. N of M validation also solves the other problems Joe mentioned, to do with key rollover and failure to sign. That is, if a signer drops out (because it failed to sign the DNSKEY RRset, or because it rolled its key) validators will continue to work securely, and can update their trust anchors at leisure. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
- [DNSOP] More keys in the DNSKEY RRset at ., and d… Andrew Sullivan
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Joe Abley
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Andrew Sullivan
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… George Michaelson
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Joe Abley
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Paul Hoffman
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Doug Barton
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Doug Barton
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… George Michaelson
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Mark Andrews
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Tony Finch
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Tony Finch