Re: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)

"Peter van Dijk" <peter.van.dijk@powerdns.com> Fri, 21 July 2017 23:52 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84FFE127599 for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 16:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VfsLa9yWlom for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 16:52:38 -0700 (PDT)
Received: from shannon.7bits.nl (shannon.7bits.nl [89.188.0.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4DAE120721 for <dnsop@ietf.org>; Fri, 21 Jul 2017 16:52:37 -0700 (PDT)
Received: from [192.168.0.16] (095-096-086-198.static.chello.nl [95.96.86.198]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: peter) by shannon.7bits.nl (Postfix) with ESMTPSA id 9CB051BD15; Sat, 22 Jul 2017 01:52:36 +0200 (CEST)
From: "Peter van Dijk" <peter.van.dijk@powerdns.com>
To: dnsop <dnsop@ietf.org>
Date: Sat, 22 Jul 2017 01:52:34 +0200
Message-ID: <253354DC-7B95-4474-8288-A50C33288968@powerdns.com>
In-Reply-To: <CAKr6gn2X3RdXYRkW+b9rWESHZCfdfkEQ1of6AEy9f6MgYWMvjQ@mail.gmail.com>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <20170720150809.qv6nbwsite7icu45@mx4.yitter.info> <alpine.DEB.2.11.1707211229310.4413@grey.csi.cam.ac.uk> <CAHw9_iKnXzXp6RDx+H8Ui5FUdpVjWzbnNJb-Y9+EjEaJEEKP7A@mail.gmail.com> <CAKr6gn2X3RdXYRkW+b9rWESHZCfdfkEQ1of6AEy9f6MgYWMvjQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/x_PnKB95yhUMuAAdXBu1lCV2wHw>
Subject: Re: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 23:52:39 -0000

Hello George,

On 21 Jul 2017, at 14:58, George Michaelson wrote:

> I (for one) hang onto the .req file. Maybe thats naughty, but I do, so
> in my case Warren routine is that the keypair is being reused,
> because.. well.. because I like to. Software I consume I suspect (like
> you) doesn't, and re-mints shiny new keys now with added keynomium,
> but when I do it by hand? yes I reuse the .req file.

As a data point, several Let’s Encrypt clients will reuse keys. Those 
that do not by default can often be configured to do so. The benefits of 
reusing the key should be obvious to anyone that also uses TLSA. If you 
think about it, a TLSA record is also a certificate, but your signer 
auto-renews it for you.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/