DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "D. J. Bernstein" <djb@cr.yp.to>
Cc: ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From: Mark.Andrews@nominum.com
Date: Sun, 29 Jul 2001 23:26:07 +1000
In-reply-to: Your message of "29 Jul 2001 12:14:24 GMT." <20010729121424.4964.qmail@cr.yp.to>
Sender: owner-dnsop@cafax.se
Subject: Re: NGtrans - DNSext joint meeting, call for participation


> Mark.Andrews@nominum.com writes:
> > 	Pre change:
> > 	example.com SIG KEY expire=200107292257 (1 day)
> > 	host.example.com SIG A expire=200108272257 (30 days)
> > 	Post change:
> > 	example.com SIG KEY expire=200107072258 (1 day)
> > 	host.example.com SIG A expire=200108272258 (30 days)
> 
> You are, as I said, signing the host record again. You have to sign all
> your other records too, never mind the costs of generating and
> distributing the new key.

	Is the cost of generating a new key occasionally more or
	less than that of signing all the zone daily.  As for the
	cost of distributing the new key, it is no different to
	continue to distribute the old key apart from the cost in
	getting it signed (which is the same in both your and my
	cases).

> 
> If you change at least one of your records every day---certainly a
> reasonable assumption for the big organizations we're talking about---
> then you are signing all your records every day. The key change isn't
> accomplishing anything.

	You are making ungrounded assumptions here.  Not all large
	organizations keep everything in one flat namespace.  If
	you use the DNS as it was designed to be used you don't
	see every zone in a organization changing daily or even
	monthly (or even a large pecentage of them).

> 
> The bottom line remains the same.  Even without renumbering, you are
> signing every record every day.

	Really.  Real life has plenty of examples where existing
	zones are not changed daily.  To get 1 day replay protection
	something needs to be signed daily, however it doesn't have
	to be everything.

> If that isn't a problem, then occasional
> renumbering certainly isn't a problem. If you have one day warning, you
> can renumber for free.

	Iff your assumptions hold true.  In the real world there are
	plenty of case they don't.

> 
> ---Dan

	Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@nominum.com

References:
- Re: NGtrans - DNSext joint meeting, call for participation
  - From: "D. J. Bernstein" <djb@cr.yp.to>

Prev by Date: Re: NGtrans - DNSext joint meeting, call for participation
Next by Date: Re: (ngtrans) Re: NGtrans - DNSext joint meeting, call for participation
Prev by thread: Re: NGtrans - DNSext joint meeting, call for participation
Next by thread: Re: (ngtrans) Re: NGtrans - DNSext joint meeting, call for participation
Index(es):
- Date
- Thread

Home | Date list | Subject list