DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From: "D. J. Bernstein" <djb@cr.yp.to>
Date: 28 Jul 2001 06:08:23 -0000
Automatic-Legal-Notices: Copyright 2001, D. J. Bernstein. My transmission of this message to you does not constitute a copyright waiver or any other limitation of my rights, even if you have told me otherwise.
Content-Disposition: inline
Subject: Re: NGtrans - DNSext joint meeting, call for participation

Mark.Andrews@nominum.com writes:
> there is no requirement to re-sign every record to achieve
> your 1 day expiry.  Just change the zone key whenever you change
> zone data and have a 1 day expiry on the zone key's signature.

No. If you maintain the validity of signatures on old records, you're
allowing the attack to succeed. If you don't maintain the validity of
those signatures, you have to immediately sign those records again.

Please withdraw your claim.

---Dan

Follow-Ups:
- Re: NGtrans - DNSext joint meeting, call for participation
  - From: Mark.Andrews@nominum.com

References:
- Re: NGtrans - DNSext joint meeting, call for participation
  - From: Robert Elz <kre@munnari.OZ.AU>
- Re: NGtrans - DNSext joint meeting, call for participation
  - From: Mark.Andrews@nominum.com

Prev by Date: Re: NGtrans - DNSext joint meeting, call for participation
Next by Date: Re: NGtrans - DNSext joint meeting, call for participation
Prev by thread: Re: NGtrans - DNSext joint meeting, call for participation
Next by thread: Re: NGtrans - DNSext joint meeting, call for participation
Index(es):
- Date
- Thread

Home | Date list | Subject list