On Thu, 28 Apr 2016, Viktor Dukhovni wrote:
Yes, basically right, here's the DS-free delegation: tools.ietf.org. NS gamay.levkowetz.com. tools.ietf.org. NS zinfandel.levkowetz.com. tools.ietf.org. NS merlot.levkowetz.com. tools.ietf.org. NSEC trac.ietf.org. NS RRSIG NSEC tools.ietf.org. RRSIG NSEC 5 3 1800 20170308083312 20160308073501 40452 ietf.org. <sig> The thing one might quibble about is the IMHO much too long RRSIG validity interval. One year signatures are rather long. With this signature in hand, an attacker can deny any signature for tools.ietf.org until March 2017 even if the zone were signed tomorrow.
or until ietf.org rolls the ZSK, whichever time period is shorter. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
