to comment on.
--Olaf
$Id: NSEC-NSEC3 36 2010-01-22 11:02:32Z olaf $
20100122
NSEC-NSEC3
Paul Wouters
Added: 22 jan 2010
Discussion missing about NSEC vs NSEC3 Parameters
from:
http://www.ietf.org/mail-archive/web/dnsop/current/msg07282.html
Discussion:
From: Paul
On 1/21/2010 9:24 PM, Eric Rescorla wrote:
On Thu, Jan 21, 2010 at 9:09 PM, Paul Woutersp...@xelerance.com wrote:
On Thu, 21 Jan 2010, Eric Rescorla wrote:
The point is that the numbers depend on your model of the attacker
more than on the cryptography.
Yes, but
On Thu, 21 Jan 2010, Paul Hoffman wrote:
- Regular rolling can give you a false sense of security about your rolling
process
How can you have any sense of security about your rolling process if you
don't exercise it?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
GERMAN BIGHT
On 2010-01-22, at 07:45, Andrew Sullivan wrote:
It is simply not true that everything needs to be done for real in
order to be sure it can be done.
I think that's true. However, for procedures (manual or automated) that are
required to function seamlessly and transparently in production,
At 17:11 -0500 1/21/10, Roy Arends wrote:
I'd recommend that 'exercise the activity' is not done on critical
production systems.
There's a difference between exercise and test/training/etc. You
do want to exercise on the real systems.
At 17:20 -0500 1/21/10, Andrew Sullivan wrote:
You
--On 22 January 2010 12:04:07 +0100 Olaf Kolkman o...@nlnetlabs.nl wrote:
Strawman text said:
Though some claim all data in the DNS should be considered public, it
sometimes is considered to be more then private, but less then public
data.
That does not describe the problem well, in that
--On 22 January 2010 23:09:11 +1100 Mark Andrews ma...@isc.org wrote:
Additionally NSEC3 provides no real benefit is highly structured zones
like IP6.ARPA. It is relatively easy to enumerate a IP6.ARPA zone even
if it is using NSEC3 by making use of the zone's structure.
e164.arpa. is
Paul,
--On 22 January 2010 14:51:38 -0500 Paul Wouters p...@xelerance.com wrote:
the NSEC3 RR chain. Therefor, Opt-Out should be avoided if possible.
1. Therefor*e*
2. I don't think the last sentence follows from the foregoing, in that
this behaviour is desirable for the zone operator! (I
At 20:31 + 1/22/10, Alex Bligh wrote:
contents) in example.org. So, whilst opt-out should be avoided
across intervals containing secure delegations, I see no reason
to avoid it across intervals that don't contain secure delegations.
Opt-out is restricted to intervals that contain only
--On 22 January 2010 15:45:54 -0500 Edward Lewis ed.le...@neustar.biz
wrote:
contents) in example.org. So, whilst opt-out should be avoided
across intervals containing secure delegations, I see no reason
to avoid it across intervals that don't contain secure delegations.
Opt-out is
At 8:18 PM + 1/22/10, bmann...@vacation.karoshi.com wrote:
On Fri, Jan 22, 2010 at 09:13:22AM -0800, Paul Hoffman wrote:
At 4:56 PM + 1/22/10, Tony Finch wrote:
On Thu, 21 Jan 2010, Paul Hoffman wrote:
- Regular rolling can give you a false sense of security about your
rolling
On Fri, Jan 22, 2010 at 03:23:02PM +, bmann...@vacation.karoshi.com wrote:
the apparent nub of the argument is... we need to be
able to do this rollover thing, but if we screw up
it will be hard to put back together... so we won't
actually do the task - and hope
Andrew,
Which sort of test you ought to do is governed by what kind of needs you have.
I've been in places where folks really needed to rely on generators kicking in
during a power outage. When the generators turned out to be reasonably good at
being pieces of industrial art because folks
Paul,
I was talking about the situation where example.org is signed, the .org
is optout and exemple.org does not exist. For many, it is impossible
to register all typo-squat domains, so this is a real scenario.
Ah, didn't spot the 'e'.
Having verifiable deniability for typo-squated domaims
--On 23 January 2010 04:56:33 + Alex Bligh a...@alex.org.uk wrote:
Having verifiable deniability for typo-squated domaims is very useful.
If expensive, where 99% of your domains are unsigned.
By which I mean expensive given this isn't the cheapest attack vector.
If I want to typo
15 matches
Mail list logo