Shane, On 08/03/2016 01:58 PM, Shane Kerr wrote: > Wes, > > At 2016-08-01 15:00:52 -0700 > Wes Hardaker <wjh...@hardakers.net> wrote: > >> The following draft, authored by Warren and I, might be of interest to >> the dnsop crowd: >> >> https://tools.ietf.org/html/draft-hardaker-rfc5011-security-considerations-00 >> >> [it currently does not have a home] > > Reading this document it basically seems like the hold-down timer is > actually a potential for mischief, rather than a good thing. There is > no mitigation recommended, right? I can't think of a fix that doesn't > involve protocol changes. > > My own feeling is that the hold-down timer is tricky operationally, and > adds no actual value. I'd support using your draft as the basis of a > proposal to deprecate the hold-down timer completely.
The Add Hold-Down time adds value in the form of some mitigation against automated configuration of a compromised trust anchor in the resolver. While not waterproof, I don't think we should abandon the Add Hold-Down timer, although the long time may be somewhat of a burden and the outlined Denial of Service attack is to be taken serious. I would rather see a mitigation against the replay attack by for example adding a jitter to the Active Refresh, to make the query interval less predictable. Best regards, Matthijs > > Cheers, > > -- > Shane > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
