Re: [DNSOP] I-D Action:draft-ietf-dnsop-dnssec-trust-history-01.txt
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 22 February 2010 10:17 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD6D928C0FC for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 02:17:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDsTsR28cgP2 for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 02:17:42 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 4094528C299 for <dnsop@ietf.org>; Mon, 22 Feb 2010 02:17:42 -0800 (PST)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o1MAJbhr032917 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Mon, 22 Feb 2010 11:19:38 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4B825A39.7010903@nlnetlabs.nl>
Date: Mon, 22 Feb 2010 11:19:37 +0100
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc11 Thunderbird/3.0.1
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20100222100003.C836328C28F@core3.amsl.com>
In-Reply-To: <20100222100003.C836328C28F@core3.amsl.com>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Mon, 22 Feb 2010 11:19:38 +0100 (CET)
Subject: Re: [DNSOP] I-D Action:draft-ietf-dnsop-dnssec-trust-history-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2010 10:17:43 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The dnsop wg adopted this draft at the IETF meeting and with discussion on the mailing list afterwards. The draft-ietf-dnsop-dnssec-trust-history-00 is a copy of draft-wijngaards-dnsop-trust-history-02. draft-ietf-dnsop-dnssec-trust-history-01 contains updates after the discussion in the working group. For your diff pleasure :-). As far as I can tell this captures all the comments. There is some new text to help validator operators decide on the deployment options facing them (secure-vendor-update vs better-than-nothing). I do not think this should become too extensive, but because there are protocol effects - the X years for old keys - it is therefore good to discuss the ramifications. Best regards, Wouter On 02/22/2010 11:00 AM, Internet-Drafts@ietf.org wrote: > When DNS validators have trusted keys, but have been offline for a > longer period, key rollover will fail and they are stuck with stale > trust anchors. History service allows validators to query for older > DNSKEY RRsets and pick up the rollover trail where they left off. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-dnsop-dnssec-trust-history-01.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuCWjkACgkQkDLqNwOhpPjgHQCgpouFN36LhXJsLAcyO19Mg/6+ lgoAn1eVTByTKssRdbS1TdqDWJMiEw2v =oexU -----END PGP SIGNATURE-----
- [DNSOP] I-D Action:draft-ietf-dnsop-dnssec-trust-… Internet-Drafts
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-dnssec-tr… W.C.A. Wijngaards