Nicholas, On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote: > ... > And please don't discount the psychology of the issue. If DNSSEC > wants to be taken seriously, it needs to show it. Using short keys > for root and the major TLDs, under the assumptions that it can't be > cracked quickly (IMO, we have to assume 1024b can be.) and that old > keys don't matter [1], is something that really does draw criticism. > > [1] IMO they do until validators record and use a 'root key > ratchet': never accept a key who's expiration is older than the > inception date of the RRSIG on the youngest root ZSK seen, or have > some other defense to roll-back-the-clock attacks.
What do you mean by "..key who's expiration is.."? A new propertie recorded at this "ratchet", btw what is this? Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
