> [EMAIL PROTECTED] writes:
> > Pre change:
> > example.com SIG KEY expire=200107292257 (1 day)
> > host.example.com SIG A expire=200108272257 (30 days)
> > Post change:
> > example.com SIG KEY expire=200107072258 (1 day)
> > host.example.com SIG A expire=200108272258 (30 days)
>
> You are, as I said, signing the host record again. You have to sign all
> your other records too, never mind the costs of generating and
> distributing the new key.
Is the cost of generating a new key occasionally more or
less than that of signing all the zone daily. As for the
cost of distributing the new key, it is no different to
continue to distribute the old key apart from the cost in
getting it signed (which is the same in both your and my
cases).
>
> If you change at least one of your records every day---certainly a
> reasonable assumption for the big organizations we're talking about---
> then you are signing all your records every day. The key change isn't
> accomplishing anything.
You are making ungrounded assumptions here. Not all large
organizations keep everything in one flat namespace. If
you use the DNS as it was designed to be used you don't
see every zone in a organization changing daily or even
monthly (or even a large pecentage of them).
>
> The bottom line remains the same. Even without renumbering, you are
> signing every record every day.
Really. Real life has plenty of examples where existing
zones are not changed daily. To get 1 day replay protection
something needs to be signed daily, however it doesn't have
to be everything.
> If that isn't a problem, then occasional
> renumbering certainly isn't a problem. If you have one day warning, you
> can renumber for free.
Iff your assumptions hold true. In the real world there are
plenty of case they don't.
>
> ---Dan
Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
