Re: [DNSOP] watching for signature expiration in zones you don't sign

Thu, 02 Jun 2011 08:44:40 -0700 

On 02/06/2011 11:23 AM, Richard Lamb wrote:

I still think, stale or not, having some idea of what the zone's policy is regarding 
signature updates would be useful.  I've been running signature expiry monitoring scripts 
for a few years and having some idea of what is "ok" for a zone would be very 
helpful - particularly those zones that have a policy of not refreshing signatures a day 
or two before expiry (e.g. red ones on http://www.dnssek.info/ )- which I would normally 
consider a concern and start firing off warning emails.
Strictly speaking from a protocol point of view any signature that expires before (zone expiry + RR TTL) is a potential validation failure. Any Signature that expires before corresponding TTL is a likely validation failure if there is a non DNSSEC validating cache in the path. 

Any Signature that has expired is bad.

The issue is that many zone owners do not
a) Do not know how long it takes to distribute their modified zone to all the servers in the NS set. (frequent assumption is 0 seconds) b) Forget about the possible impact of zone expiry when secondary server can not reach distribution server. 
c) Forget about maximum TTL in zone

        Olafur



-Rick


-----Original Message-----
From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of Joe 
Abley
Sent: Thursday, June 02, 2011 3:22 AM
To: João Damas
Cc: IETF DNSOP WG
Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign


On 2011-06-02, at 13:17, João Damas wrote:


at first glance it might look useful, but this is the kind of info that tends 
to go stale and then

what do you do when there is a mismatch?

I guess you flag it for manual investigation. The alternative is that you don't 
really know when a
situation is actually bad until the signature expires, and it'd be nice to have 
some early warning.

I could maintain a manual table of what "bad" means for particular zones based 
on observation, but
that seems even more likely to become stale.


Would you invalidate a still-valid signature if it doesn't conform to policy in 
case someone else is

signing the zone other than the authorised party?

Nope, but (especially in these early days of deployment) perhaps it might merit 
a note to an
administrator, or a heads-up to a public list.


Would you send mail to the zone admin? (and knowing the people on this list, 
that would be a lot

email on top of that admin) :)


Shouldn't this sort of admin work be done by the admin, either internally or by 
outsourcing to some

other organisation?

I guess my point is that unless you're the person involved in signing a 
particular zone, telling when
there's a signature expiration problem looming is not easy.


Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop





_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to