On Sat, Apr 30, 2016 at 01:14:51PM -0400, Paul Wouters wrote:
> >Yes, basically right, here's the DS-free delegation:
> >
> > tools.ietf.org. NS gamay.levkowetz.com.
> > tools.ietf.org. NS zinfandel.levkowetz.com.
> > tools.ietf.org. NS merlot.levkowetz.com.
> > tools.ietf.org. NSEC trac.ietf.org. NS RRSIG NSEC
> > tools.ietf.org. RRSIG NSEC 5 3 1800 20170308083312
> > 20160308073501 40452 ietf.org. <sig>
> >
> >The thing one might quibble about is the IMHO much too long RRSIG
> >validity interval. One year signatures are rather long. With this
> >signature in hand, an attacker can deny any signature for tools.ietf.org
> >until March 2017 even if the zone were signed tomorrow.
>
> or until ietf.org rolls the ZSK, whichever time period is shorter.
No, they have to roll the KSK, because the attacker can also replay
the current DNSKEY RRset along with the current unsigned delegation,
the DNSKEY RRset is not surprisingly also good for a year.
The DS RRset at the .org level has a more sensible lifetime (21d+1h),
so if a new KSK were deployed now, the insecure delegation could
be invalidated around May 17th.
$ dig +noall +ans +nocl +nottl +dnssec +multi -t dnskey ietf.org
ietf.org. DNSKEY 257 3 5 (
AwEAAavjQ1H6pE8FV8LGP0wQBFVL0EM9BRfqxz9p/sZ+
8AByqyFHLdZcHoOGF7CgB5OKYMvGOgysuYQloPlwbq7W
s5WywbutbXyG24lMWy4jijlJUsaFrS5EvUu4ydmuRc/T
GnEXnN1XQkO+waIT4cLtrmcWjoY8Oqud6lDaJdj1cKr2
nX1NrmMRowIu3DIVtGbQJmzpukpDVZaYMMAm8M5vz4U2
vRCVETLgDoQ7rhsiD127J8gVExjO8B0113jCajbFRcMt
UtFTjH4z7jXP2ZzDcXsgpe4LYFuenFQAcRBRlE6oaykH
R7rlPqqmw58nIELJUFoMcb/BdRLgbyTeurFlnxs=
) ; key id = 45586
ietf.org. DNSKEY 256 3 5 (
AwEAAdDECajHaTjfSoNTY58WcBah1BxPKVIHBz4IfLjf
qMvium4lgKtKZLe97DgJ5/NQrNEGGQmr6fKvUj67cfrZ
UojZ2cGRizVhgkOqZ9scaTVXNuXLM5Tw7VWOVIceeXAu
uH2mPIiEV6MhJYUsW6dvmNsJ4XwCgNgroAmXhoMEiWEj
BB+wjYZQ5GtZHBFKVXACSWTiCtddHcueOeSVPi5WH94V
lubhHfiytNPZLrObhUCHT6k0tNE6phLoHnXWU+6vpsYp
z6GhMw/R9BFxW5PdPFIWBgoWk2/XFVRSKG9Lr61b2z1R
126xeUwvw46RVy3hanV3vNO7LM5HniqaYclBbhk=
) ; key id = 40452
ietf.org. RRSIG DNSKEY 5 2 1800 20170308083223 (
20160308073501 45586 ietf.org.
IOQgHR12mJD0TO9+wnJLDh7N/2lhnIrcvf5ZlwtwBWn6
LDg2OJVN/CGtoOaNUYMPxgrzG5Ww7qAMn84vAhunBf1c
+yfX5XCO99+K3tXsqRg+znMnAmOTFRcTztG2B8u4keRu
beKYWfXFk9LGmGd7BXczKa0F+HjhyeLpOeXOnfTMn1Gy
RvcVetJJqp7HpKowc23rxSEADC/NB+3euARWUTlrk9AX
P9OThWMzOlYk6hvBPNQtrl5iM8eZGw9QqF3SDlduHyFd
bmNdD3QR9XjfYpOq3MuqWCMbrBTUmljNRLO8eswUCYxl
IrE5vggDraAZiSGHmTf5g3YToPchp3DkTg== )
ietf.org. RRSIG DNSKEY 5 2 1800 20170308083248 (
20160308073501 40452 ietf.org.
n5vYSrmnnylmFVP6KmqjujHDOVlr+A8o8RldrXZENJNU
BBGs/HsA/WkEQiLOBE3dv8CpOtF7fCH4fwNzS8J47K/K
64Zb4Z13Z0aEWtpKo1lJDGKr/UWn0s9PQelMWu3z2tQa
vfUeCHuZZDwhhHf2jSxiq5AOtRCOzbDCvAmPhzW4/sXX
QzVanXbQzBWAlIBIDO065zUla08ldkWC4xPE0S9MzAwA
MEWkhcfau6FfI0+W5ePRdcVpXKywZq8VmWjxV/g2f5sT
Ws+dXMvWVKfsvyYx94NIwxL+hbMUX+eik50d5S3T946s
AzyN5WzzkVR6QTxCs7THASBPuiruC2Luqw== )
$ dig +noall +ans +nocl +nottl +dnssec +multi -t ds ietf.org
ietf.org. DS 45586 5 1 (
D0FDF996D1AF2CCDBDC942B02CB02D379629E20B )
ietf.org. DS 45586 5 2 (
67FCD7E0B9E0366309F3B6F7476DFF931D5226EDC534
8CD80FD82A081DFCF6EE )
ietf.org. RRSIG DS 7 2 86400 20160516150430 (
20160425140430 20264 org.
gL/MRQuOAoHDE25R3K9pvSFjJdd6ugmdSuwZSvnhEqP2
FemzlHFbPV0eNwJlezIAV4p95U/Hxikb3dgGSTac6jch
9RIyfdtDU/Rp6nk2SYjJRnrc4VxBTSfugcBHPGOmlHtq
SPDrjk8iNM0x9r+ZTXwGod40oX9dobwCE3OQ5NM= )
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
