To:
Edward Lewis <Ed.Lewis@neustar.biz>
CC:
ietf-provreg@cafax.se
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Tue, 25 Oct 2005 21:02:01 +0200
In-Reply-To:
<a06200702bf841920cb3f@[192.35.167.157]>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Subject:
Re: [ietf-provreg] secdns draft
Edward Lewis wrote: > At 18:49 +0200 10/25/05, Klaus Malorny wrote: > > > To explain #2. Imagine a registrant creates a key and the (DS data > representing the) key is sent to the registry. If the registrant's > private key is then "stolen/guessed/exposed", the party that has gained > illegitimate access to the key can abuse the key as long as the DS > record is seen as valid. So, shortening the DS record means the window > of vulnerability is lessened. > > The TTL record value was also considered, but the DNSSEC specs (RFC > 4034, etc.) already specify the TTL value. > >> related to the above: >> >> ** what should the registry do at the end of the lifetime? > > > The lifetime is relative. If there is no change, just regenerate the > signature over the DS record. When to regenerate a signature is a > deeper topic - some suggest regenerating signatures about 1/2 way > through the lifetime just to be sure the signatures get out there in > time. But never sign the DS set for more time than the prudent/agreed > upon lifetime duration. > Thanks for the clarification. I thought the most simple solution to revoke a key is to remove it from the zone, as it would break the chain of trust also. But I have to admit that I am not yet fully aware of the effects of the various caching mechanisms on the time a resolver can falsely assume the correctness of a revoked key. I have to check that. regards, Klaus ___________________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeißer-Weg 9 Dipl. Inf. Klaus Malorny 44227 Dortmund Klaus.Malorny@knipp.de Tel. +49 231 9703 0