On Fri, 6 Jun 2014, Viktor Dukhovni wrote:
The best example for PRK is a transition from a current "2 0 1" TLSA
RRs to future "3 1 1" RR. The administrator needs to know to do:
Initial:
IN TLSA 2 0 1 {old TA}
Intermediate:
IN TLSA 3 1 1 {switch to old leaf}
IN TLSA 3 1 1 {new leaf}
Final:
IN TLSA 3 1 1 {new leaf}
rather than the more naively obvious:
Initial:
IN TLSA 2 0 1 {old TA}
Intermediate:
IN TLSA 2 0 1 {old TA}
IN TLSA 3 1 1 {new leaf}
Final:
IN TLSA 3 1 1 {new leaf}
because here, until the new leaf is deployed after the original
TTL expires, PRK clients might conclude that it is safe to use PRK,
but it is not because the server's current (old) key can't be
matched via an EE SPKI association.
Okay, I understand this example now and your desire to not mixup TLSA
types. However, the operations document could simply advise not to
combine a key rollover with a usage/type/selector rollover at once,
which seems more appropriate than banning all other valid scenario's
that mixup type such as:
IN TLSA 2 0 1 {current TA}
IN TLSA 3 1 1 {current leaf}
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
