On 3/26/2014 9:41 AM, Evan Hunt wrote:
On Wed, Mar 26, 2014 at 06:52:44PM +0800, Warren Kumari wrote:
"Feature", but does catch many folk by surprise.
I'd written a patch and given it to someone at ISC that makes dig
output a warning message if you hand it both the "+trace" and
"@server" options
On Fri, Mar 28, 2014 at 2:29 PM, Joe Abley wrote:
>
> On 28 Mar 2014, at 10:26, Phillip Hallam-Baker wrote:
>
> > VeriSign is acting on ICANN's instructions.
>
> I think actually that Verisign is acting on NTIA's instructions under the
> cooperative agreement. But my experience while I was there
On 28 Mar 2014, at 10:26, Phillip Hallam-Baker wrote:
> VeriSign is acting on ICANN's instructions.
I think actually that Verisign is acting on NTIA's instructions under the
cooperative agreement. But my experience while I was there was that the three
organisations work in concert on this kin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
* Bill Woodcock [2014-03-27 23:54]:
>
> On Mar 27, 2014, at 10:14 AM, Matthäus Wander
> wrote:
>> Here's a small statistic about RSA key lengths of 741,552 signed
>> second-level domains (collected on 2014-01-27, counting KSK and
>> ZSKs):
>>
>> 10
On Fri, Mar 28, 2014 at 11:28 AM, Thierry Moreau <
thierry.mor...@connotech.com> wrote:
> On 03/27/14 13:56, Nicholas Weaver wrote:
>
>>
>>
>> So why the hell do the real operators of DNSSEC that matters, notably com
>> and ., use 1024b RSA keys?
>>
>> And don't give me that key-roll BS: Give me a
On 03/27/14 13:56, Nicholas Weaver wrote:
So why the hell do the real operators of DNSSEC that matters, notably com and
., use 1024b RSA keys?
And don't give me that key-roll BS: Give me an out of date key for . and a MitM
position, and I can basically create a false world for many DNSSEC-va
On Fri, Mar 28, 2014 at 9:50 AM, Joe Abley wrote:
>
> On 28 Mar 2014, at 9:06, Phillip Hallam-Baker wrote:
>
> > Therefore ICANN needs to sign the root zone with 2048 before we consider
> it signed. End of story.
>
> Small point of clarity: the only key that ICANN maintains is the 2048 bit
> KSK
On 28 Mar 2014, at 9:06, Phillip Hallam-Baker wrote:
> Therefore ICANN needs to sign the root zone with 2048 before we consider it
> signed. End of story.
Small point of clarity: the only key that ICANN maintains is the 2048 bit KSK,
and the only signatures ICANN makes with it are over the DN
Phillip Hallam-Baker wrote:
> On Fri, Mar 28, 2014 at 9:01 AM, Tony Finch wrote:
> >
> > I have a rough plan for how to avoid the insecure time replay vulnerability:
> > http://www.ietf.org/mail-archive/web/dnsop/current/msg11245.html
>
> Why is this needed?
Some devices don't have battery-backe
On Fri, Mar 28, 2014 at 09:06:17AM -0400, Phillip Hallam-Baker wrote:
> Code is only vulnerable if it trusts 1024bit RSA. Code should not trust
> 1024bit RSA.
>
> Therefore ICANN needs to sign the root zone with 2048 before we consider it
> signed. End of story.
I think the point was that there w
On Fri, Mar 28, 2014 at 9:01 AM, Tony Finch wrote:
> Paul Wouters wrote:
>
> > On Thu, 27 Mar 2014, Nicholas Weaver wrote:
> >
> > > For an attacker, the root ZSK is not 1 month validity, since an
> attacker
> > > who's in a position to take advantage of such a ZSK compromise is
> going to
> > >
Paul Wouters wrote:
> On Thu, 27 Mar 2014, Nicholas Weaver wrote:
>
> > For an attacker, the root ZSK is not 1 month validity, since an attacker
> > who's in a position to take advantage of such a ZSK compromise is going to
> > be faking all of DNS for the target, and can therefore just as easily
On Mar 28, 2014, at 1:34 AM, Stephane Bortzmeyer wrote:
> On Thu, Mar 27, 2014 at 01:15:00PM -0700,
> Nicholas Weaver wrote
> a message of 75 lines which said:
>
>> But fixing this going forward requires a 1-line change in the ZSK
>> script:
>
> I have nothing against longer keys but this s
On Thu, Mar 27, 2014 at 01:15:00PM -0700,
Nicholas Weaver wrote
a message of 75 lines which said:
> But fixing this going forward requires a 1-line change in the ZSK
> script:
I have nothing against longer keys but this sort of sentences ("DNSSEC
is simple, anyone can do it in five minutes")
14 matches
Mail list logo
