[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

To: Mark Andrews <Mark_Andrews at isc.org>
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
From: Dean Anderson <dean at av8.com>
Date: Thu, 4 Sep 2008 11:34:42 -0400 (EDT)
Cc: dnsop at ietf.org, Jelte Jansen <jelte at NLnetLabs.nl>
Delivered-to: ietfarch-dnsop-archive at core3.amsl.com
Delivered-to: dnsop at core3.amsl.com
In-reply-to: <200809041306.m84D65LL087287 at drugs.dv.isc.org>
List-archive: <http://www.ietf.org/pipermail/dnsop>
List-help: <mailto:dnsop-request@ietf.org?subject=help>
List-id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-post: <mailto:dnsop@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
Sender: dnsop-bounces at ietf.org

On Thu, 4 Sep 2008, Mark Andrews wrote:

> 
> 	It's not a issue.  You remove the DS's which have that
> 	algorithm then once they have expired from caches you can
> 	remove the DNSKEY.

Of course, you can replay them, resulting in a DOS.  (I'll call 
this attack 6)

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   


_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

References:
- Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
  - From: Mark Andrews

Prev by Date: Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
Next by Date: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Previous by thread: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Next by thread: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Index(es):
- Date
- Thread