Hello Peter and Matt,
eventually, I found the time to take a closer look at the
latest version of your Resolver Priming I-D,
draft-ietf-dnsop-resolver-priming-01,
and again would like to submit a few comments, most of which
are editorial in nature.
Items (4) and (7) ff. should be of interest
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
during some work on DNSKEY maintenance, I think i found a potential
operational issue. If we are going to do new work on DNSSEC Operational
Practices, I would like to suggest to add a text similar to that
attached to this message.
The issue
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
It's not a issue. You remove the DS's which have that
algorithm then once they have expired from caches you can
remove the DNSKEY.
That could still leave the zone itself in an inconsistent state... I'm
On Wed, 3 Sep 2008, Danny McPherson wrote:
You don't see any evidence of attacks because you haven't read
about them on NANOG [or various network forums that you do
monitor] - duly noted, and comically ironic.
It is indeed comically ironic (telling, actually) that NANOG hasn't
discussed the
On Thu, 4 Sep 2008, Mark Andrews wrote:
It's not a issue. You remove the DS's which have that
algorithm then once they have expired from caches you can
remove the DNSKEY.
Of course, you can replay them, resulting in a DOS. (I'll call
this attack 6)