On 02/06/2017 01:11 PM, Shane Kerr wrote: > Warren, > > I am still wondering about the: > > 3 * (DNSKEY RRSIG Signature Validity) / 2 > > Term in the draft, which I see survived the update. > > Why is this not just the DNSKEY RRSIG Signature Validity? In principle > once the signature has expired it cannot be used to replay the old > DNSKEY RRset right?
Shane was faster than me, I'm also wondering how 3/2 got here. I expect that 3/2 = 2/2 to avoid replay attack + 1/2 from RFC 5011. In any case, it would be awesome if each component in section 6 had own explanation what role the particular component plays in the equation. -- Petr Špaček @ CZ.NIC > > Cheers, > > -- > Shane > > At 2017-02-03 21:14:03 -0500 > Warren Kumari <[email protected]> wrote: > >> Hi all, >> >> Was and I have updated this document to make it clearer and more >> readable. Please take a read and let us know if any parts are unclear, >> if you have any other feedback, etc. >> >> Is this close to done? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
