So far, experience tells us exactly that. I am afraid it will continue to do so
Joao
On 2 Jun 2011, at 21:28, David Conrad wrote:
> On Jun 2, 2011, at 5:23 AM, Richard Lamb wrote:
>
> On the other hand, pragmatically speaking, I suspect signature expiration
> will be causing more damage to the
sponse ...)
Kind regards,
Marc Lampo
Security Officer
EURid
-Original Message-
From: Richard Lamb [mailto:richard.l...@icann.org]
Sent: 02 June 2011 05:24 PM
To: Joe Abley; João Damas
Cc: IETF DNSOP WG
Subject: Re: [DNSOP] watching for signature expiration in zones you don't
ge-
From: Paul Hoffman [mailto:paul.hoff...@vpnc.org]
Sent: 02 June 2011 05:43 PM
To: Joe Abley
Cc: IETF DNSOP WG
Subject: Re: [DNSOP] watching for signature expiration in zones you don't
sign
Another thought is to simply keep a detailed history and watch the
replacements. For each zone
On Jun 2, 2011, at 5:23 AM, Richard Lamb wrote:
> I still think, stale or not, having some idea of what the zone's policy is
> regarding signature updates would be useful.
I'll admit a vague, unsubstantiated feeling of ill-ease about this. Would
publishing this policy provide information of b
Good point. Make it adaptive.
> -Original Message-
> From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of
> Paul Hoffman
> Sent: Thursday, June 02, 2011 8:43 AM
> To: Joe Abley
> Cc: IETF DNSOP WG
> Subject: Re: [DNSOP] watching for signature ex
Time is a pain in the neck. Conversations over the meaning of timers
and time fields have gone on for a long time.
Keep in mind the difference between absolute (or wall clock) time and
relative time. The latter is even stickier because the time may be
relative to an event that is local and n
maximum TTL in zone
Olafur
-Rick
-Original Message-
From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of Joe
Abley
Sent: Thursday, June 02, 2011 3:22 AM
To: João Damas
Cc: IETF DNSOP WG
Subject: Re: [DNSOP] watching for signature expiration in zones you don't
Another thought is to simply keep a detailed history and watch the
replacements. For each zone, you should be able to determine what their normal
renewal buffer is. You would only need to be concerned about those that get too
close to the edge from their normal operations.
--Paul Hoffman
__
dnsop-boun...@ietf.org] On Behalf Of Joe
> Abley
> Sent: Thursday, June 02, 2011 3:22 AM
> To: João Damas
> Cc: IETF DNSOP WG
> Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign
>
>
> On 2011-06-02, at 13:17, João Damas wrote:
>
> &g
On 2 Jun 2011, at 15:24, Tony Finch wrote:
How does this differ from the metadata that's in the zone's RRSIG
and SOA
records?
Joe's script doesn't display that metadata. It might help you decide
if
you should worry about signatures that are due to expire soon, more
than
just the interva
Jim Reid wrote:
> On 2 Jun 2011, at 14:53, Tony Finch wrote:
>
> > It's possibly useful to know the ratio of the intervals between the
> > inception time and now, and now and the expiry time. Also the relation
> > between the now/expiry interval and the relevant TTLs and zone refresh and
> > expir
On 2 Jun 2011, at 14:53, Tony Finch wrote:
It's possibly useful to know the ratio of the intervals between the
inception time and now, and now and the expiry time. Also the relation
between the now/expiry interval and the relevant TTLs and zone
refresh and
expiry intervals.
How does this d
Edward Lewis wrote:
> At 13:02 +0300 6/2/11, Joe Abley wrote:
>
> > I have realised, however, that I can't tell whether a signature that is
> > (say) going to expire in under three days is a cause for concern, or
> > whether it's normal operations and something I should expect to be
> > replaced a
At 13:02 +0300 6/2/11, Joe Abley wrote:
I have realised, however, that I can't tell whether a signature that is
(say) going to expire in under three days is a cause for concern, or
whether it's normal operations and something I should expect to be
replaced as part of normal operations.
Once up
Joe Abley wrote:
>
> Is there perhaps value in finding a mechanism by which zone operators
> can publish information in their zones which gives guidance as to what
> the normal limits for signature expiration ought to be?
Sounds like a good idea. I agree with João that you need to take care not
t
On 2011-06-02, at 13:17, João Damas wrote:
> at first glance it might look useful, but this is the kind of info that tends
> to go stale and then what do you do when there is a mismatch?
I guess you flag it for manual investigation. The alternative is that you don't
really know when a situatio
at first glance it might look useful, but this is the kind of info that tends
to go stale and then what do you do when there is a mismatch?
Would you invalidate a still-valid signature if it doesn't conform to policy in
case someone else is signing the zone other than the authorised party?
Would
17 matches
Mail list logo
