To:
Miek Gieben <miekg@atoom.net>
cc:
dnsop@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 29 Aug 2003 11:50:02 -0400
In-reply-to:
Your message of "Thu, 28 Aug 2003 12:37:44 +0200." <20030828103743.GA15697@atoom.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-kolkman-dnssec-operational-practices-00.txt
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Miek" == Miek Gieben <miekg@atoom.net> writes:
>> But, in any case, if you believe that the key can be brute forced
>> during any low multiple of the "key publication period", then the
>> period is probably too short, or the keys too small.
^long
Sorry.
Miek> yes, but I'm not sure is something of this wording should be put
Miek> in, although I like the idea of "garbage keys".
If you are very paranoid.
>> It would be good to explain this.
Miek> Maybe adding something like this would help?:
Miek> If the old key gets compromised the new key is already distributed
Miek> in the DNS. A zone administrator is than able to quickly switch to
Miek> the new key and remove the compromised key from the zone.
Yes.
>> The major advantage is that it costs only 1 DNSKEY record, vs
>> O(size-of-zone) DNSSIG records.
Miek> yes, true, took me a moment to parse this, but you mean that you
Miek> don't need to have a double signed zone (which could be really
Miek> big).
Yes, that's the point.
It means that nearly all large zones would want to pre-publish the next
key.
>> I believe that we should have a BCP for this part.
Miek> a seperate one? Or be just more verbose in this one?
>> What does it mean to securely notify the parent -- this is a human
>> protocol, not necessarily just a network one.
Miek> I have no idea what is means, it probably means don't use the
Miek> DNS.... :)
A seperate BCP on the human protocol for indicating a compromise of a key
via out-of-band protocol.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
iQCVAwUBP092KYqHRg3pndX9AQGQzQQAmYojTr+FM6BBPL0LJyELbf7lZe+s8N/A
awBuXbAM2DkyRdg/grJzG682yJOEQ2gEVPXWX3SmH7Ii2PJOaHXtTKw4neWsFlKI
GOGT1le7u10F13AYuSuRF08irfOYjNvHbqaEW7YkH9vSYvgaFD7KfiBQ4YUR1Qje
LzHyEK3pYEk=
=L5bq
-----END PGP SIGNATURE-----
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.