-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Richard,
On 4 Mar 2009, at 09:58, Richard Lamb wrote:
A very useful piece of work. Particularly the material on emergency
key rollover. It took me some time to write the scripts to take into
account TTL, propagation delays, and various key compromise
scenarios. The approach your work takes gives the implementer a
clear framework. Wish I had your work before.
Thanks. The emergency rollover logic in the draft is based on
experience from several failed implementation attempts that kept
sending us back to the proverbial drawing board. Once we got it
"right" implementation suddenly became quite easy.
To me, a large part of the point with this draft is to take a much
needed step from "rollover confusion" (which is where most of us spend
time up during our initial implementation efforts) to "rollover
analysis" (where it is possible to actually have a rational discussion
about different rollover logic alternatives). But, having tried to
have such discussions with a number of people it seemed clear that we
needed some sort of "reference logic" first.
Hence this draft.
Regards,
Johan
-----Original Message-----
From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On
Behalf Of stephen.mor...@nominet.org.uk
Sent: Tuesday, February 17, 2009 10:21 AM
To: dnsop@ietf.org
Subject: [DNSOP] draft-morris-dnsop-dnssec-key-timing-00
John Dickinson and Johan Ihren and I have just submitted
http://www.ietf.org/internet-drafts/draft-morris-dnsop-dnssec-key-timing-00.txt
The draft gives a rigorous description of timing considerations in
DNSSEC
key rollovers.
Stephen
A new version of I-D, draft-morris-dnsop-dnssec-key-timing-00.txt
has been successfuly submitted by Stephen Morris and posted to the
IETF repository.
Filename: draft-morris-dnsop-dnssec-key-timing
Revision: 00
Title: DNSSEC Key Timing Considerations
Creation_date: 2009-02-17
WG ID: Independent Submission
Number_of_pages: 22
Abstract:
RFC 4641 gives a detailed overview of the operational considerations
involved in running a DNSSEC-secured zone, including key rollovers.
This document expands on the previous work, and discusses timing
considerations in greater depth. It explicitly identifies the
relationships between the various time parameters, and gives a
suggested algorithm for key rollover in a DNSSEC-secured zone.
The IETF Secretariat.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSbVCXPotlDfa2H4ZAQJjPQQAj4QlWr6jhg3+2xChwTFYvtsLRqO4LqQW
X8pb7RO0/cdxzA+QlKCfin0QsIUoYkGvmT0VbMWs1d1gAUc8TcvEERaJzi7Xwv7G
kzeFCUVx+AFHw3/hBFxK2HGrx8pJ8ZhtjLvWBKCXtrBbTehG+18cQx+MuuauIOiY
kKuLjI3hRuA=
=SIUu
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
