At 6:04 -0500 9/9/09, Michael Graff wrote:
Perhaps something as simple as "valid until" might be useful for an ITAR like thing, but only so long as it comes from the submitter of that key.
...We take the first step down the path of certificates, X.509, and that sort of thing. ;)
We need to be careful. The jargon used for DNSSEC has included phrases like, "a ZSK should expire in 3 months". DNSKEY RRs do not have time in them, RRSIG RRs do - and only in there is absolute time ever apparent inside the DNS (system). If we now attach absolute times to the presence of records (in this case the DS RR that is the result), we are introducing a new paradigm.
What happens when the parent disposes the DS RR at the end of the key's effectivity date? Will the child know to remove the same DNSKEY, or at least mark it as revoked in RFC 5011 speak? Do we need to define a signal mechanism from the parent to child? These are the kinds of things that need to be thought about thoroughly - and why I say we need to treat the disease and not the symptoms.
Brainstorming is good and we do need that, but be aware we need to arrive at a fully fleshed-out solution.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
