[DNSOP] suggestion for 4641bis: key algorithm rollover section

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, during some work on DNSKEY maintenance, I think i found a potential operational issue. If we are going to do new work on DNSSEC Operational Practices, I would like to suggest to add a text similar to that attached to this message. The issue lies

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

It's not a issue. You remove the DS's which have that algorithm then once they have expired from caches you can remove the DNSKEY. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Andrews wrote: > It's not a issue. You remove the DS's which have that > algorithm then once they have expired from caches you can > remove the DNSKEY. That could still leave the zone itself in an inconsistent state... I'm not

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark Andrews wrote: > > It's not a issue. You remove the DS's which have that > > algorithm then once they have expired from caches you can > > remove the DNSKEY. > > That could still leave the zone itself in an inconsistent stat

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

On Thu, 4 Sep 2008, Mark Andrews wrote: > > It's not a issue. You remove the DS's which have that > algorithm then once they have expired from caches you can > remove the DNSKEY. Of course, you can replay them, resulting in a DOS. (I'll call this attack 6) -

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Resending my message because of the ietf mailing list problems - Original Message Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section Date: Fri, 05 Sep 2008 10:32:35 +0200 From: Jelte Jansen <[EM

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

I'll take the liberty to resend Mark's messages too; Resending Mark's reply to Dean Anderson's message Original Message ---- Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section Date: Fri, 05 Sep 2008 09:35:43 +1000 From: Mark Andrews &l

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

And Mark's reply to my previous message: Original Message Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section Date: Fri, 05 Sep 2008 18:39:49 +1000 From: Mark Andrews <[EMAIL PROTECTED]> To: Jelte Jansen <[EMAIL PROTECTED]> CC: dnsop@

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Andrews wrote: > > What I'm getting from this is that the keyset at the apex must (at > least) be signed by each algorithm in the DS referral, and every rrset > in the zone must be signed by each algorithm in the apex keyset. > >> which is

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

(resent due to list hiccups - if anyone gets multiple messages, I apologize) I would also mention in the text that this problem applies to a zone migrating from NSEC to NSEC3 (when using RSA/SHA-1) The algorithm code is used to signal it so it would appear to resolvers as two different al