Re: [DNSOP] Revising RFC 4641 on DNSSEC Operational Practices

Thu, 26 Jun 2008 14:44:19 -0700 

I'm not a dnssec operator, yet, either. But I think updating a flawed
document is better done sooner than later.  I'm for updating it.

                --Dean

On Thu, 26 Jun 2008, Paul Hoffman wrote:

> Greetings. I had a brief discussion with Olaf Kolkman about some 
> deficiencies in RFC 4641, and he agreed to revise the document if the 
> WG is interested. This message is to start gauging interest in that 
> task.
> 
> I started reading RFC 4641 when I was on the panel at ICANN that 
> reviewed PIR's proposal to start signing .org. I am not a DNSSEC 
> operator (yet), so I came to the document with a novice's eyes. There 
> are three areas which I found problematic:
> 
> - The cryptography that got added after WG LC is flawed. The 
> calculations of appropriate key sizes starts with solid numbers 
> (quoted from an RFC that Hilarie Orman and I wrote) and then quick 
> falls into handwaving. It can be greatly simplified.
> 
> - The discussion of key rollover times has no justification for the 
> times chosen. There is no discussion of the attacks that the rollover 
> is trying to mitigate. Such a discussion would help a zone decide 
> that zone's rollover policies.
> 
> - It is not clear when the document is talking about publishing keys 
> as trust anchors and when it is talking about publishing them in a 
> signed parent zone. These two scenarios are vastly different, 
> particularly with respect to key rollover.
> 
> Olaf agreed that there may be more operational input from people who 
> are currently deploying DNSSEC, and that this document might be ripe 
> for a renewal even though it is less than two years old. How do 
> people in the WG feel about this?
> 
> --Paul Hoffman, Director
> --VPN Consortium
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   


_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to