I'll take the liberty to resend Mark's messages too; Resending Mark's reply to Dean Anderson's message
-------- Original Message -------- Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section Date: Fri, 05 Sep 2008 09:35:43 +1000 From: Mark Andrews <[EMAIL PROTECTED]> To: Dean Anderson <[EMAIL PROTECTED]> CC: Jelte Jansen <[EMAIL PROTECTED]>, [email protected] > On Thu, 4 Sep 2008, Mark Andrews wrote: > > > > > It's not a issue. You remove the DS's which have that > > algorithm then once they have expired from caches you can > > remove the DNSKEY. > > Of course, you can replay them, resulting in a DOS. (I'll call > this attack 6) Wait for the signatures to also expire. The replayed DS RRset will then be rejected. Pick your paranoia level. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
