Re: DANE and DLV

Wed, 07 Jan 2015 10:23:15 -0800 

On Wed, Jan 07, 2015 at 01:00:10PM -0500, John wrote:

> I assume this list is "best" to "worst"

Roughly speaking yes, though none are a disaster.  Pick usage "3"
in most cases, but if you known what you're doing, want to operate
an internal CA and have lots of hosts to secure, usage 2 might be
right for you.

> >     ; Use "3 1 1", the other three are OK, but "3 1 1" is better.
> >     _25._tcp.mx.example.com. IN TLSA 3 1 1 <sha2-256 digest of DER leaf 
> > public key in X.509 SPKI format>
> >     _25._tcp.mx.example.com. IN TLSA 3 0 1 <sha2-256 digest of DER leaf 
> > cert>
> >     _25._tcp.mx.example.com. IN TLSA 3 1 2 <sha2-512 digest of DER leaf 
> > public key in X.509 SPKI format>
> >     _25._tcp.mx.example.com. IN TLSA 3 0 2 <sha2-512 digest of DER leaf 
> > cert>
> >
> >     ; Use "2 0 1", the other three are OK, but "2 0 1" is better.
> >     _25._tcp.mx.example.com. IN TLSA 2 0 1 <sha2-256 digest of DER CA 
> > certificate>
> >     _25._tcp.mx.example.com. IN TLSA 2 1 1 <sha2-256 digest of DER CA 
> > public key in X.509 SPKI format>
> >     _25._tcp.mx.example.com. IN TLSA 2 0 2 <sha2-512 digest of DER CA 
> > certificate>
> >     _25._tcp.mx.example.com. IN TLSA 2 1 2 <sha2-512 digest of DER CA 
> > public key in X.509 SPKI format>
>
> I am not sure I understand this. Why are you linking the two?

I am not linking anything.

> >     * Do understand how to coordinate DANE TLSA record updates with
> >       key rotation, and never forget to update DANE TLSA records
> >       as part of that process.
>
> Has anybody published any recommendations as to timing for the life cycle of
> a ZSK  (and KSK for that matter)? So far the only recommendation I have seen
> was a footnote in a paper on DNSSEC. It recommended 1yr for KSK and 4Yrs for
> KSKs. I think these number are unrealistic for a couple of reasons 1) with
> the growth of hacker nets i do not think keys can survive that long. 2) on a
> much more mundane level - with staff turn over etc., rollover is  liable to
> slip between the cracks.

I'll leave DNSSEC ops for others to describe,  I'm relatively new to that.

> Victor - I have a question and a suggestion which I would like to explore
> offline. May I contact you at IETF, or at any other address you like, you
> may contact me a j...@klam.ca.

OK.

-- 
        Viktor.

Reply via email to