[DNSOP] rfc4641bis: ZSK-roll-frequency
Olaf Kolkman <olaf@NLnetLabs.nl> Thu, 21 January 2010 13:28 UTC
Return-Path: <olaf@NLnetLabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F2CB93A6A57 for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 05:28:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Level:
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmd-QFoN-RsE for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 05:28:43 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 7FDA83A6765 for <dnsop@ietf.org>; Thu, 21 Jan 2010 05:28:42 -0800 (PST)
Received: from dhcp-07.nlnetlabs.nl (dhcp-07.nlnetlabs.nl [213.154.224.73]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o0LDSatq094363 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dnsop@ietf.org>; Thu, 21 Jan 2010 14:28:36 +0100 (CET) (envelope-from olaf@NLnetLabs.nl)
From: Olaf Kolkman <olaf@NLnetLabs.nl>
Content-Type: multipart/signed; boundary="Apple-Mail-14-157991379"; protocol="application/pkcs7-signature"; micalg="sha1"
Date: Thu, 21 Jan 2010 14:28:36 +0100
Message-Id: <F69DBA62-DFD6-4AD8-9849-6B20FAD1C13A@NLnetLabs.nl>
To: dnsop WG <dnsop@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [213.154.224.1]); Thu, 21 Jan 2010 14:28:36 +0100 (CET)
Subject: [DNSOP] rfc4641bis: ZSK-roll-frequency
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 13:28:44 -0000
As a reminder: http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ has the open issues listed and a per issue highlight of their history. This issue is captured in http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ZSK-roll-frequency current content of that page is replicated below. I welcome substantive discussion on-list while I'd be happy to receive editorial comments off-list If the chair believes the current text captures consensus I will move this issue to the closed issues list. --Olaf $Id: ZSK-roll-frequency 31 2009-10-07 08:19:53Z olaf $ 2008090101 ZSK-roll-frequency EKR/ Paul Hoffman Added: 7 Oct 2009 See: http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html Rfc4641 argues for frequent ZSK rollovers, the argument therein is based on operational arguments that are (implicitly) based on operator acces to private keys and/or the timeline in which changes in which the (zone) operator may need to be replaced. EKRs argument is based on cryptographic strength and argues another view. The current considerations need to be made more explicit. Resolution: Added the following paragraph to section 3.3: <t> The motivation for having the ZSK's effectivity period shorter than the KSK's effectivity period is rooted in the operational consideration that it is more likely that operators have more frequent read access to the ZSK than to the KSK. If ZSK's are maintained on cryptographic Hardware Security Modules (HSM) than the motivation to have different key effectivity periods is weakend. </t> ________________________________________________________ Olaf M. Kolkman NLnet Labs Science Park 140, http://www.nlnetlabs.nl/ 1098 XG Amsterdam
- [DNSOP] rfc4641bis: ZSK-roll-frequency Olaf Kolkman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Rose, Scott W.
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Olaf Kolkman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Rose, Scott W.
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Tony Finch
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Wouters
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Olaf Kolkman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Masataka Ohta
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Masataka Ohta
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Masataka Ohta
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency David Conrad
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Todd Glassey
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency David Conrad
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency David Conrad
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Roy Arends
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Wouters
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Roy Arends
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Todd Glassey
- [DNSOP] key rollover for real Jim Reid
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Wouters
- Re: [DNSOP] key rollover for real Roy Arends
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] key rollover for real Jim Reid
- Re: [DNSOP] key rollover for real Roy Arends
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Wouters
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] key rollover for real Andrew Sullivan
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Todd Glassey
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Tony Finch
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] key rollover for real Joe Abley
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency bmanning
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Alex Bligh
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Todd Glassey
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] key rollover for real Andrew Sullivan
- Re: [DNSOP] key rollover for real David Conrad
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Eric Rescorla
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Niall O'Reilly
- [DNSOP] Value of 4641bis Paul Hoffman
- Re: [DNSOP] Value of 4641bis Thierry Moreau
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Edward Lewis
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Wouters
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Francis Dupont
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Rose, Scott W.
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Paul Hoffman
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Masataka Ohta
- Re: [DNSOP] rfc4641bis: ZSK-roll-frequency Francis Dupont