To:
EPP Provreg <ietf-provreg@cafax.se>
From:
Andrew Sullivan <ajs@shinkuro.com>
Date:
Thu, 28 Jan 2010 11:42:49 -0500
Content-Disposition:
inline
In-Reply-To:
<OF290E454A.30980263-ON802576B9.00576302-802576B9.0057F86A@nominet.org.uk>
Mail-Followup-To:
Andrew Sullivan <ajs@shinkuro.com>,EPP Provreg <ietf-provreg@cafax.se>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mutt/1.5.18 (2008-05-17)
Subject:
Re: [ietf-provreg] rfc4310bis 03 AD Feedback
On Thu, Jan 28, 2010 at 04:00:52PM +0000, Ray.Bellis@nominet.org.uk wrote: > What's the rationale for giving the child _any_ say in the DS record > signature lifetimes as presented in the parent zone? The idea is that the child might want to have some maximum above which it doesn't go, so that the child can roll keys in a predictable way. This unfortunately ignores the effects of the RR TTL on the whole issue, and IMO is a foot-gun loaded for bear, because it makes it trivially easy to set the RRSIG short enough that an RRSIG expires while in cache. Without a knob to control TTLs, I don't know why you'd allow this to be adjusted. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se