On Tue, Apr 4, 2017 at 8:04 AM, <[email protected]> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations of the IETF. > > Title : Security Considerations for RFC5011 Publishers > Authors : Wes Hardaker > Warren Kumari > Filename : draft-ietf-dnsop-rfc5011- > security-considerations-00.txt > Pages : 9 > Date : 2017-04-03 > > Abstract: > This document describes the math behind the minimum time-length that > a DNS zone publisher must wait before using a new DNSKEY to sign > records when supporting the RFC5011 rollover strategies. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011- > security-considerations/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011- > security-considerations-00 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security- > considerations-00 > > This one still needs to be fixed:
---------- "6. Minimum RFC5011 Timing Requirements ... The most confusing element of the above equation comes from the "3 * (DNSKEY RRSIG Signature Validity) / 2" element, but is the most critical to understand and get right." ----------- But the equation no longer contains "3 * " anywhere. -- Bob Harold
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
