[DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-09.txt
internet-drafts@ietf.org Fri, 08 December 2017 01:10 UTC
Return-Path: <internet-drafts@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1559A120726; Thu, 7 Dec 2017 17:10:56 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Cc: dnsop@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.67.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151269545604.5910.4395741014662511280@ietfa.amsl.com>
Date: Thu, 07 Dec 2017 17:10:56 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ug_QBt1C5o-qyOo4Vx6uMTEgMzs>
Subject: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-09.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2017 01:10:56 -0000
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.
Title : Security Considerations for RFC5011 Publishers
Authors : Wes Hardaker
Warren Kumari
Filename : draft-ietf-dnsop-rfc5011-security-considerations-09.txt
Pages : 19
Date : 2017-12-07
Abstract:
This document extends the RFC5011 rollover strategy with timing
advice that must be followed by the publisher in order to maintain
security. Specifically, this document describes the math behind the
minimum time-length that a DNS zone publisher must wait before
signing exclusively with recently added DNSKEYs. This document also
describes the minimum time-length that a DNS zone publisher must wait
after publishing a revoked DNSKEY before assuming that all active
RFC5011 resolvers should have seen the revocation-marked key and
removed it from their list of trust anchors.
This document contains much math and complicated equations, but the
summary is that the key rollover / revocation time is much longer
than intuition would suggest. If you are not both publishing a
DNSSEC DNSKEY, and using RFC5011 to advertise this DNSKEY as a new
Secure Entry Point key for use as a trust anchor, you probably don't
need to read this document.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011-security-considerations/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011-security-considerations-09
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security-considerations-09
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011-security-considerations-09
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
- [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-secu… internet-drafts