(resent due to list hiccups - if anyone gets multiple messages, I
apologize)
I would also mention in the text that this problem applies to a zone
migrating from NSEC to NSEC3 (when using RSA/SHA-1) The algorithm
code is used to signal it so it would appear to resolvers as two
different al
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
>
> What I'm getting from this is that the keyset at the apex must (at
> least) be signed by each algorithm in the DS referral, and every rrset
> in the zone must be signed by each algorithm in the apex keyset.
>
>> which is
And Mark's reply to my previous message:
Original Message
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 18:39:49 +1000
From: Mark Andrews <[EMAIL PROTECTED]>
To: Jelte Jansen <[EMAIL PROTECTED]>
CC: dnsop@
I'll take the liberty to resend Mark's messages too;
Resending Mark's reply to Dean Anderson's message
Original Message ----
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 09:35:43 +1000
From: Mark Andrews &l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Resending my message because of the ietf mailing list problems
- Original Message
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 10:32:35 +0200
From: Jelte Jansen <[EM
On Thu, 4 Sep 2008, Mark Andrews wrote:
>
> It's not a issue. You remove the DS's which have that
> algorithm then once they have expired from caches you can
> remove the DNSKEY.
Of course, you can replay them, resulting in a DOS. (I'll call
this attack 6)
-
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mark Andrews wrote:
> > It's not a issue. You remove the DS's which have that
> > algorithm then once they have expired from caches you can
> > remove the DNSKEY.
>
> That could still leave the zone itself in an inconsistent stat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
> It's not a issue. You remove the DS's which have that
> algorithm then once they have expired from caches you can
> remove the DNSKEY.
That could still leave the zone itself in an inconsistent state... I'm
not
It's not a issue. You remove the DS's which have that
algorithm then once they have expired from caches you can
remove the DNSKEY.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
during some work on DNSKEY maintenance, I think i found a potential
operational issue. If we are going to do new work on DNSSEC Operational
Practices, I would like to suggest to add a text similar to that
attached to this message.
The issue lies
10 matches
Mail list logo
