>
> > [EMAIL PROTECTED] writes:
> > > there is no requirement to re-sign every record to achieve
> > > your 1 day expiry. Just change the zone key whenever you change
> > > zone data and have a 1 day expiry on the zone key's signature.
> >
> > No. If you maintain the validity of signatures on old records, you're
> > allowing the attack to succeed. If you don't maintain the validity of
> > those signatures, you have to immediately sign those records again.
> >
> > Please withdraw your claim.
>
> Dan,
> your claim is that you have to re-sign every record in
> a zone daily to achieve a 1 day replay window. I'm stating
> that you can achieve the same protection without re-signing
> every record daily.
>
> Pre change:
> example.com KEY alpha
> example.com SIG KEY expire=200107292257 (1 day)
> host.example.com A 1.2.3.4
> host.example.com SIG A expire=200108272257 (30 days)
>
> Post change:
> example.com KEY beta
> example.com SIG KEY expire=200107072258 (1 day)
This should have been
example.com SIG KEY expire=200107272258 (1 day)
> host.example.com A 1.2.3.5
> host.example.com SIG A expire=200108272258 (30 days)
>
> Please explain how you can verify
> host.example.com A 1.2.3.4
> host.example.com SIG A expire=200108272257
> after 200107292257.
>
> Mark
> --
> Mark Andrews, Nominum Inc.
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
