Frederico A C Neves <fne...@registro.br> wrote: > On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote: > > > > IMO they do until validators record and use a 'root key ratchet': > > never accept a key who's expiration is older than the inception date > > of the RRSIG on the youngest root ZSK seen, or have some other defense > > to roll-back-the-clock attacks. > > What do you mean by "..key who's expiration is.."? A new propertie > recorded at this "ratchet", btw what is this?
I assume he means that the ratchet would observe when a key is no longer published in the DNSKEY RRset and treat it as implicitly revoked. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Portland, Plymouth: South 4 or 5, occasionally 6 in Plymouth. Slight or moderate. Rain, fog patches later. Moderate or poor, occasionally very poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
