Perhaps this a good time for me to plug adoption of Signaling Cryptographic Algorithm Understanding, per RFC 6975. The sooner this gets included in the implementation on the query side, the sooner we will have solid information on when it will be ok to phase out an obsolete algorithm.
This is not directly related to changes in key lengths, but it is relevant for the shifts from one algorithm to another, including changes in hash algorithms. Steve On Apr 4, 2014, at 12:28 PM, Tony Finch <d...@dotat.at> wrote: > Frederico A C Neves <fne...@registro.br> wrote: >> On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote: >>> >>> IMO they do until validators record and use a 'root key ratchet': >>> never accept a key who's expiration is older than the inception date >>> of the RRSIG on the youngest root ZSK seen, or have some other defense >>> to roll-back-the-clock attacks. >> >> What do you mean by "..key who's expiration is.."? A new propertie >> recorded at this "ratchet", btw what is this? > > I assume he means that the ratchet would observe when a key is no longer > published in the DNSKEY RRset and treat it as implicitly revoked. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Portland, Plymouth: South 4 or 5, occasionally 6 in Plymouth. Slight or > moderate. Rain, fog patches later. Moderate or poor, occasionally very poor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
