[DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-12.txt

internet-drafts@ietf.org Fri, 23 March 2018 08:15 UTC

Return-Path: <internet-drafts@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6EF124E15; Fri, 23 Mar 2018 01:15:05 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: dnsop@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.76.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152179290553.17526.4850948042855013244@ietfa.amsl.com>
Date: Fri, 23 Mar 2018 01:15:05 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sVdzQXos0Yfh7Ef6SUlzjdKJmqE>
Subject: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-12.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 08:15:05 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.

        Title           : Security Considerations for RFC5011 Publishers
        Authors         : Wes Hardaker
                          Warren Kumari
	Filename        : draft-ietf-dnsop-rfc5011-security-considerations-12.txt
	Pages           : 20
	Date            : 2018-03-23

Abstract:
   This document extends the RFC5011 rollover strategy with timing
   advice that must be followed by the publisher in order to maintain
   security.  Specifically, this document describes the math behind the
   minimum time-length that a DNS zone publisher must wait before
   signing exclusively with recently added DNSKEYs.  This document also
   describes the minimum time-length that a DNS zone publisher must wait
   after publishing a revoked DNSKEY before assuming that all active
   RFC5011 resolvers should have seen the revocation-marked key and
   removed it from their list of trust anchors.

   This document contains much math and complicated equations, but the
   summary is that the key rollover / revocation time is much longer
   than intuition would suggest.  If you are not both publishing a
   DNSSEC DNSKEY, and using RFC5011 to advertise this DNSKEY as a new
   Secure Entry Point key for use as a trust anchor, you probably don't
   need to read this document.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011-security-considerations/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011-security-considerations-12
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security-considerations-12

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011-security-considerations-12


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/