On Thu, 4 Sep 2008, Mark Andrews wrote:
>
> It's not a issue. You remove the DS's which have that
> algorithm then once they have expired from caches you can
> remove the DNSKEY.
Of course, you can replay them, resulting in a DOS. (I'll call
this attack 6)
-
On Wed, 3 Sep 2008, Danny McPherson wrote:
> You don't see any evidence of attacks because you haven't read
> about them on NANOG ["or various network forums that you do
> monitor"] - duly noted, and comically ironic.
It is indeed comically ironic (telling, actually) that NANOG hasn't
discussed t
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mark Andrews wrote:
> > It's not a issue. You remove the DS's which have that
> > algorithm then once they have expired from caches you can
> > remove the DNSKEY.
>
> That could still leave the zone itself in an inconsistent stat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
> It's not a issue. You remove the DS's which have that
> algorithm then once they have expired from caches you can
> remove the DNSKEY.
That could still leave the zone itself in an inconsistent state... I'm
not
It's not a issue. You remove the DS's which have that
algorithm then once they have expired from caches you can
remove the DNSKEY.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
during some work on DNSKEY maintenance, I think i found a potential
operational issue. If we are going to do new work on DNSSEC Operational
Practices, I would like to suggest to add a text similar to that
attached to this message.
The issue lies
Hello Peter and Matt,
eventually, I found the time to take a closer look at the
latest version of your Resolver Priming I-D,
draft-ietf-dnsop-resolver-priming-01,
and again would like to submit a few comments, most of which
are editorial in nature.
Items (4) and (7) ff. should be of interest
