To:
"D. J. Bernstein" <djb@cr.yp.to>
Cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Mark.Andrews@nominum.com
Date:
Sat, 28 Jul 2001 17:31:20 +1000
In-reply-to:
Your message of "28 Jul 2001 06:08:23 GMT." <20010728060823.20080.qmail@cr.yp.to>
Sender:
owner-dnsop@cafax.se
Subject:
Re: NGtrans - DNSext joint meeting, call for participation
> Mark.Andrews@nominum.com writes:
> > there is no requirement to re-sign every record to achieve
> > your 1 day expiry. Just change the zone key whenever you change
> > zone data and have a 1 day expiry on the zone key's signature.
>
> No. If you maintain the validity of signatures on old records, you're
> allowing the attack to succeed. If you don't maintain the validity of
> those signatures, you have to immediately sign those records again.
>
> Please withdraw your claim.
Dan,
your claim is that you have to re-sign every record in
a zone daily to achieve a 1 day replay window. I'm stating
that you can achieve the same protection without re-signing
every record daily.
Pre change:
example.com KEY alpha
example.com SIG KEY expire=200107292257 (1 day)
host.example.com A 1.2.3.4
host.example.com SIG A expire=200108272257 (30 days)
Post change:
example.com KEY beta
example.com SIG KEY expire=200107072258 (1 day)
host.example.com A 1.2.3.5
host.example.com SIG A expire=200108272258 (30 days)
Please explain how you can verify
host.example.com A 1.2.3.4
host.example.com SIG A expire=200108272257
after 200107292257.
Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com