Perhaps this a good time for me to plug adoption of Signaling Cryptographic
Algorithm Understanding, per RFC 6975. The sooner this gets included in the
implementation on the query side, the sooner we will have solid information on
when it will be ok to phase out an obsolete algorithm.
This is
Frederico A C Neves wrote:
> On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote:
> >
> > IMO they do until validators record and use a 'root key ratchet':
> > never accept a key who's expiration is older than the inception date
> > of the RRSIG on the youngest root ZSK seen, or have s
Not that this matters, but this is the first look I have had at this document.
I’ll start with a heavy dose of skepticism as this is intended for the
standards track.
This is “impossible to implement”:
2.3.2. Child Nameserver Selection
Parental agents will need to poll child nameservers in
Joe Abley wrote:
> I'm trying to understand the time-based attack, but I'm not seeing it.
I think a plausible form of this attack involves DNSSEC validation at
the edge.
(1) DoS your victim, to force them into trouble-shooting mode. Hopefully
they will reboot, at which point you can lie to them
On Apr 4, 2014, at 9:09, Ted Lemon wrote:
> On Apr 4, 2014, at 8:53 AM, Antoin Verschuren
> wrote:
>> I don't considder these other names with dots in them inferior, but
>> they are simply not domain names.
>
> Whether you are right or not, I think Stephane's interpretation is
> technically c
On Apr 3, 2014, at 17:39, Suzanne Woolf wrote:
> 6. Publish documents that attempt to better define the overlapping
> area among the public DNS root, DNS-like names as used in local or
> restricted
> naming scopes, and the 'special names' registry that IETF
> manages, and how they will in
On Apr 4, 2014, at 8:53 AM, Antoin Verschuren wrote:
> I don't considder these other names with dots in them inferior, but
> they are simply not domain names.
Whether you are right or not, I think Stephane's interpretation is technically
correct. I don't mean that it _is_, I just mean that I t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
op 04-04-14 10:59, Stephane Bortzmeyer schreef:
> same) and I dislike even more "DNS-like names", which seems to
> imply there are inferior names. www.foobar.local is a domain name,
> even if it is not resolved through the DNS.
I tend to disagree to
On Thu, Apr 03, 2014 at 05:39:58PM -0400,
Suzanne Woolf wrote
a message of 69 lines which said:
> 4. Publish documents on extensions or protocol maintenance to the DNS
>Protocol, with a focus on the operational impacts of
>such changes. Act as clearinghouse for discussion or provide ad
