On Apr 19, 2013, at 12:33, Tony Finch wrote: > > The lifetime of this kind of compromise is limited by the expiry time of > the KSK's RRSIG over the DNSKEY RRset. The attacker with the compromised > ZSK can't extend this since they can't re-sign the DNSKEYs in a way that > will be authenticated by the DS.
The question is whether the expiry of the KSK matters more than the expiry of the ZSK. The case we are talking about here is the ZSK being compromised. What I was also thinking about is a compromise of the KSK. Or more accurately, compromise of the SEP. I'm trying to work out whether it's sufficient to just roll out of the ZSK to end the suffering of a compromise (realizing that there's the signature effectivity and ttls to expire) or if you'd have to roll the KSK too - assuming a ZSK (non-SEP) compromise. It's clear that if the SEP is compromised, I have to clear it out of the DS set. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
