To:
Miek Gieben <miekg@atoom.net>
cc:
dnsop@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 29 Aug 2003 11:50:02 -0400
In-reply-to:
Your message of "Thu, 28 Aug 2003 12:37:44 +0200." <20030828103743.GA15697@atoom.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-kolkman-dnssec-operational-practices-00.txt
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Miek" == Miek Gieben <miekg@atoom.net> writes: >> But, in any case, if you believe that the key can be brute forced >> during any low multiple of the "key publication period", then the >> period is probably too short, or the keys too small. ^long Sorry. Miek> yes, but I'm not sure is something of this wording should be put Miek> in, although I like the idea of "garbage keys". If you are very paranoid. >> It would be good to explain this. Miek> Maybe adding something like this would help?: Miek> If the old key gets compromised the new key is already distributed Miek> in the DNS. A zone administrator is than able to quickly switch to Miek> the new key and remove the compromised key from the zone. Yes. >> The major advantage is that it costs only 1 DNSKEY record, vs >> O(size-of-zone) DNSSIG records. Miek> yes, true, took me a moment to parse this, but you mean that you Miek> don't need to have a double signed zone (which could be really Miek> big). Yes, that's the point. It means that nearly all large zones would want to pre-publish the next key. >> I believe that we should have a BCP for this part. Miek> a seperate one? Or be just more verbose in this one? >> What does it mean to securely notify the parent -- this is a human >> protocol, not necessarily just a network one. Miek> I have no idea what is means, it probably means don't use the Miek> DNS.... :) A seperate BCP on the human protocol for indicating a compromise of a key via out-of-band protocol. ] Out and about in Ottawa. hmmm... beer. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP092KYqHRg3pndX9AQGQzQQAmYojTr+FM6BBPL0LJyELbf7lZe+s8N/A awBuXbAM2DkyRdg/grJzG682yJOEQ2gEVPXWX3SmH7Ii2PJOaHXtTKw4neWsFlKI GOGT1le7u10F13AYuSuRF08irfOYjNvHbqaEW7YkH9vSYvgaFD7KfiBQ4YUR1Qje LzHyEK3pYEk= =L5bq -----END PGP SIGNATURE----- #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.