On Tue, Sep 12, 2017 at 7:25 PM, <internet-dra...@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Security Considerations for RFC5011 Publishers > Authors : Wes Hardaker > Warren Kumari > Filename : draft-ietf-dnsop-rfc5011- > security-considerations-03.txt > Pages : 13 > Date : 2017-09-12 > > Abstract: > This document extends the RFC5011 rollover strategy with timing > advice that must be followed in order to maintain security. > Specifically, this document describes the math behind the minimum > time-length that a DNS zone publisher must wait before signing > exclusively with recently added DNSKEYs. This document also > describes the minimum time-length that a DNS zone publisher must wait > after publishing a revoked DNSKEY before assuming that all active > RFC5011 resolvers should have seen the revocation-marked key and > removed it from their list of trust anchors. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011- > security-considerations/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011- > security-considerations-03 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security- > considerations-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011- > security-considerations-03 > > > 5.1.1. Attack Timing Breakdown
"T+11 through T-29" "T-29" should be "T+29" -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
