Re: [DNSOP] Proposed changes to RFC 4641: rollovers

Mon, 29 Sep 2008 07:43:41 -0700
----- Original Message ----- From: "Matthijs Mekking" <[EMAIL PROTECTED]> 
To: "Paul Hoffman" <[EMAIL PROTECTED]>
Cc: <dnsop@ietf.org>
Sent: Monday, September 29, 2008 3:08 AM
Subject: Re: [DNSOP] Proposed changes to RFC 4641: rollovers



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

I encourage making the 4641 document more up to date and adding better
definitions. However, one issue draw my attention: I am not sure if
doing key rollover in emergencies only is good practice, for a couple of
reasons:

* All keys have an expected lifetime. After the lifetime, you may expect
a key to be compromised.
No, it may have simply expired and so would no longer be 'in effect' but that doesnt mean that they 'will magically stop working' unless the code forces that and there is NO way to specify this without defining a compliance test suite that mandates this. 


Because you cannot easily suspect this until
harm is being done, I say its better to prevent than to fix. So do key
rollover only when the keys lifetime is running out, (inclusive) or it
is suspected that the key has been compromised.

* If keys that act as trust anchors have a long lifetime (effective
period), key rollover is hardly operated. Doing key rollover
periodically, not only for KSKs that do not act as trust anchors, gives
us more operational practice.

* Besides, you cannot know if a resolver will pick up your KSK as a
trust anchor, so you should consider that all your KSKs can be used a
trust anchor.

* Change of zonedata size or local policies might mean that a change in
KSK is made (longer key, different algorithm...)

Regards,

Matthijs


Paul Hoffman wrote:

   Because of the difficulty of getting all users of a trust anchor to
   replace an old trust anchor with a new one, a KSK that is a trust
   anchor should never be rolled unless it is known or strongly
   suspected that the key has been compromised.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI4KkyIXqNzxRs6egRAmRBAJ0ZcZGEqbSjTPb2O21IbetS24SyxwCZAcNi
OwY52IY/ofrAzxcuAKOTP/s=
=P3vk
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.7.4/1695 - Release Date: 9/27/2008 1:11 PM 

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to