Paul Wouters <[email protected]> wrote: > On Thu, 27 Mar 2014, Nicholas Weaver wrote: > > > For an attacker, the root ZSK is not 1 month validity, since an attacker > > who's in a position to take advantage of such a ZSK compromise is going to > > be faking all of DNS for the target, and can therefore just as easily also > > fake NTP, ensuring that the attacker's key is still valid for most victims. > > Than you have lost forever because we have used a 1024 key in the past. > You can always NTP attack them to today's 1024 key, and no increase in > key size in the future will help you.
I have a rough plan for how to avoid the insecure time replay vulnerability: http://www.ietf.org/mail-archive/web/dnsop/current/msg11245.html Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ South-east Iceland: Cyclonic becoming easterly or northeasterly later, 4 or 5, occasionally 6 near iceland. Moderate or rough, occasionally very rough at first. Rain or showers. Good, occasionally moderate. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
