On Aug 13, 2008, at 12:19 PM, Ralf Weber wrote:
Well you have to change keys with cryptography from time if you want
to be save. RFC2541 says once a year, RFC4641 doesn't give any advise,
but e.g RIPE which referring to this is doing a rollover every 6
months.
A 2048-bit key will take a really long time to crack. You need to do
key rollover often enough that the chances of it being cracked during
the rollover period are effectively zero. Two years is a pretty
conservative period.
If your zone key or KSK is actually compromised, then rollover won't
help you very much, because it takes too long. You need to revoke
the key immediately. Which is not hard.
I don't think so. My idea was to do a KSK rollover every 24 months
with key len >= 2048 and a ZSK rollover every three months with key
length between 1024 and 2048. But this is work compared to thousands
of zones we have with SOA serials that are older than two years (We
have have a lot of zones with SOA Serial <2000 ;-). In DNS world I
never have to touch them again in DNSSEC world I do have to touch the
zones regularly.
Fair enough. I have zones like that too.
Yup get renewed every two years.
Okay, so this is a key that's arguably more important than your KSK,
because it's used to protect authentication information and, depending
on how you do business, financial information belonging to your
customers. If it's safe to roll this key every two years, it's safe
to roll your KSK no more often, and I would argue that the same is
true for your zone key.
As said before the tools out there do not have the automation required
to make it easy for an operator to deploy DNSSEC widely. But I do have
faith in you and other people that are building tools and software
that they will get better.
I can't argue with that! :')
I will point out though that the financial incentive to secure a zone
varies according to what is done with that zone. My home domain,
fugue.com, really doesn't need to be signed, because I only ever use
it for things where I have adequate application-layer security, and
nobody's going to punch their credit card info into a faked fugue.com
domain. I signed it today anyway just to make a point.
In practice, I think the majority of domains are like mine. So the
cost of signing the zones that really need to be signed, in practice,
is a lot less than the cost of signing every zone in the DNS.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
