Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt

Wes Hardaker <wjhns1@hardakers.net> Thu, 25 May 2017 21:31 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A34A512941D for <dnsop@ietfa.amsl.com>; Thu, 25 May 2017 14:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.502
X-Spam-Level:
X-Spam-Status: No, score=-1.502 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1JLHPlKAq8G for <dnsop@ietfa.amsl.com>; Thu, 25 May 2017 14:31:43 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4D0E127863 for <dnsop@ietf.org>; Thu, 25 May 2017 14:31:43 -0700 (PDT)
Received: from localhost (unknown [10.0.0.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 0F3772087E; Thu, 25 May 2017 14:31:43 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Bob Harold <rharolde@umich.edu>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "dnsop\@ietf.org" <dnsop@ietf.org>
References: <149560445570.28419.14767177653896917226@ietfa.amsl.com> <33126a41-8fb6-b2d9-8d1d-2d6a9a8cf0d5@comcast.net> <ybl60gq9bq2.fsf@wu.hardakers.net> <8AF24B97-BB51-4A1C-8FF2-C53B32552ACA@vpnc.org> <CA+nkc8B-Oo-EncTvXfKUqYLTuNEivVbqJKbRYRsnpMak6a9fGg@mail.gmail.com>
Date: Thu, 25 May 2017 14:31:42 -0700
In-Reply-To: <CA+nkc8B-Oo-EncTvXfKUqYLTuNEivVbqJKbRYRsnpMak6a9fGg@mail.gmail.com> (Bob Harold's message of "Thu, 25 May 2017 14:27:06 -0400")
Message-ID: <ybllgpkd3nl.fsf@w7.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iIlKmMab6QHqMY7Lp0z4PMQVvg8>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 21:31:45 -0000

Bob Harold <rharolde@umich.edu> writes:

> I might be wrong, but it would seem to me that the doc covers two situations:
> 1. How long to wait after publishing a key before signing exclusively with that key.

Thank you.  That is exactly the intent of the document.  

> 2. How long after you stop signing with a key before you remove it.

Actually, it's how long you have to wait before removing a key that you
set the revoke bit on.

> And both should apply no matter how many keys a zone happens to have.

Yes yes yes.  It has nothing to do with the number of keys.  It's purely
the "if you exclusively sign with a (any) new key before it has been
published for this length of time, you're vulnerable to attack".

-- 
Wes Hardaker
USC/ISI