The original RFC 4641 came out before the update-timers draft became an
RFC. The revision would need to incorporate that as well as the
improved crypto stuff.
So yes, I would support this effort.
Scott
Paul Hoffman wrote:
Greetings. I had a brief discussion with Olaf Kolkman about some
deficiencies in RFC 4641, and he agreed to revise the document if the WG
is interested. This message is to start gauging interest in that task.
I started reading RFC 4641 when I was on the panel at ICANN that
reviewed PIR's proposal to start signing .org. I am not a DNSSEC
operator (yet), so I came to the document with a novice's eyes. There
are three areas which I found problematic:
- The cryptography that got added after WG LC is flawed. The
calculations of appropriate key sizes starts with solid numbers (quoted
from an RFC that Hilarie Orman and I wrote) and then quick falls into
handwaving. It can be greatly simplified.
- The discussion of key rollover times has no justification for the
times chosen. There is no discussion of the attacks that the rollover is
trying to mitigate. Such a discussion would help a zone decide that
zone's rollover policies.
- It is not clear when the document is talking about publishing keys as
trust anchors and when it is talking about publishing them in a signed
parent zone. These two scenarios are vastly different, particularly with
respect to key rollover.
Olaf agreed that there may be more operational input from people who are
currently deploying DNSSEC, and that this document might be ripe for a
renewal even though it is less than two years old. How do people in the
WG feel about this?
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
--
----------------------------------------
Scott Rose Computer Scientist
NIST
ph: +1 301-975-8439
[EMAIL PROTECTED]
http://www-x.antd.nist.gov/dnssec
http://www.dnsops.gov/
-----------------------------------------
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
