Warren, I am still wondering about the:
3 * (DNSKEY RRSIG Signature Validity) / 2 Term in the draft, which I see survived the update. Why is this not just the DNSKEY RRSIG Signature Validity? In principle once the signature has expired it cannot be used to replay the old DNSKEY RRset right? Cheers, -- Shane At 2017-02-03 21:14:03 -0500 Warren Kumari <war...@kumari.net> wrote: > Hi all, > > Was and I have updated this document to make it clearer and more > readable. Please take a read and let us know if any parts are unclear, > if you have any other feedback, etc. > > Is this close to done? > W > > On Fri, Feb 3, 2017 at 6:29 PM, <internet-dra...@ietf.org> wrote: > > > > A new version of I-D, draft-hardaker-rfc5011-security-considerations-02.txt > > has been successfully submitted by Warren Kumari and posted to the > > IETF repository. > > > > Name: draft-hardaker-rfc5011-security-considerations > > Revision: 02 > > Title: Security Considerations for RFC5011 Publishers > > Document date: 2017-02-02 > > Group: Individual Submission > > Pages: 8 > > URL: > > https://www.ietf.org/internet-drafts/draft-hardaker-rfc5011-security-considerations-02.txt > > Status: > > https://datatracker.ietf.org/doc/draft-hardaker-rfc5011-security-considerations/ > > Htmlized: > > https://tools.ietf.org/html/draft-hardaker-rfc5011-security-considerations-02 > > Diff: > > https://www.ietf.org/rfcdiff?url2=draft-hardaker-rfc5011-security-considerations-02 > > > > Abstract: > > This document describes the math behind the minimum time-length that > > a DNS zone publisher must wait before using a new DNSKEY to sign > > records when supporting the RFC5011 rollover strategies. > > > > > > > > > > Please note that it may take a couple of minutes from the time of submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
pgpLxXIWM7UDC.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
