On Thu, Apr 28, 2016 at 03:40:29PM +0100, Jim Reid wrote:
> > If the IETF can not get DNSSEC right, who should?
>
> They are getting it right AFAICT.
Yes, basically right, here's the DS-free delegation:
tools.ietf.org. NS gamay.levkowetz.com.
tools.ietf.org. NS zinfandel.levkowetz.com.
tools.ietf.org. NS merlot.levkowetz.com.
tools.ietf.org. NSEC trac.ietf.org. NS RRSIG NSEC
tools.ietf.org. RRSIG NSEC 5 3 1800 20170308083312 20160308073501
40452 ietf.org. <sig>
The thing one might quibble about is the IMHO much too long RRSIG
validity interval. One year signatures are rather long. With this
signature in hand, an attacker can deny any signature for tools.ietf.org
until March 2017 even if the zone were signed tomorrow.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
