Hello, And thanks for the reference to this website.
While I do agree that having signatures "close to end-of-validity time" might be a reason for concern - in most cases I observed with our own registrars, getting "too close" usually leads to "no longer valid" signatures - there is however absolutely no problem if the signatures are regenerated before actually reaching that end-of-validity time. (and though .eu shows "red" in this website, I can assure the community we got the re-signing well under control and also monitored by network management scripts). On the other hand, I would be concerned with signatures that remain valid "very" long ! They show up "green", but actually have a very long period of time during which "replay attacks" are potentially possible ! Some malicious person might grab present data, with presently valid signatures, and - as long as that signature remains valid - that capture data might be reused ! (the associated DNSKEY must/should remain in the zone to allow for validation of that signature) This begin said : (at least) one of the tld's that are green in the website, sends signatures that remain valid till the last second of the present year, (and did not even, as far as I can see, any ZSK roll-over at all). Now *that* would be a reason to flag them "red", in my opinion. (and yes, I did send the colleague admins emails about this; and no, no response ...) Kind regards, Marc Lampo Security Officer EURid -----Original Message----- From: Richard Lamb [mailto:[email protected]] Sent: 02 June 2011 05:24 PM To: Joe Abley; João Damas Cc: IETF DNSOP WG Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign I still think, stale or not, having some idea of what the zone's policy is regarding signature updates would be useful. I've been running signature expiry monitoring scripts for a few years and having some idea of what is "ok" for a zone would be very helpful - particularly those zones that have a policy of not refreshing signatures a day or two before expiry (e.g. red ones on http://www.dnssek.info/ )- which I would normally consider a concern and start firing off warning emails. -Rick > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Joe Abley > Sent: Thursday, June 02, 2011 3:22 AM > To: João Damas > Cc: IETF DNSOP WG > Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign > > > On 2011-06-02, at 13:17, João Damas wrote: > > > at first glance it might look useful, but this is the kind of info that tends to go stale and then > what do you do when there is a mismatch? > > I guess you flag it for manual investigation. The alternative is that you don't really know when a > situation is actually bad until the signature expires, and it'd be nice to have some early warning. > > I could maintain a manual table of what "bad" means for particular zones based on observation, but > that seems even more likely to become stale. > > > Would you invalidate a still-valid signature if it doesn't conform to policy in case someone else is > signing the zone other than the authorised party? > > Nope, but (especially in these early days of deployment) perhaps it might merit a note to an > administrator, or a heads-up to a public list. > > > Would you send mail to the zone admin? (and knowing the people on this list, that would be a lot > email on top of that admin) :) > > > > Shouldn't this sort of admin work be done by the admin, either internally or by outsourcing to some > other organisation? > > I guess my point is that unless you're the person involved in signing a particular zone, telling when > there's a signature expiration problem looming is not easy. > > > Joe > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
