Hi Wes, Warren, On 08/02/2016 12:00 AM, Wes Hardaker wrote: > > The following draft, authored by Warren and I, might be of interest to > the dnsop crowd: > > https://tools.ietf.org/html/draft-hardaker-rfc5011-security-considerations-00 > > [it currently does not have a home]
Thanks for this document. Two comments: 1. In the introduction you mention there is no guidance to how long a DNSKEY must be published before it can be considered accepted. Perhaps there is no implicit guidance in RFC 5011, you should be able to derive it from the timing parameters defined in that document. In fact, it has been done before and RFC 7583 (DNSSEC Key Rollover Timing Considerations) gives guidance on exactly this in Section 3.3.4. 2. The outlined attack is possible because the defined queryInterval is approximately done at the half of the RRSIG expiration interval. If the queryInterval was to be increased that it would be at most the full expiration interval, the replay attack cannot be successfully executed. While this makes the DNSKEY rollover duration even longer, it is now secured against the outlined attack. Best regards, Matthijs _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
