[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
I'll take the liberty to resend Mark's messages too;
Resending Mark's reply to Dean Anderson's message
-------- Original Message --------
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 09:35:43 +1000
From: Mark Andrews <Mark_Andrews at isc.org>
To: Dean Anderson <dean at av8.com>
CC: Jelte Jansen <jelte at NLnetLabs.nl>, dnsop at ietf.org
> On Thu, 4 Sep 2008, Mark Andrews wrote:
>
> >
> > It's not a issue. You remove the DS's which have that
> > algorithm then once they have expired from caches you can
> > remove the DNSKEY.
>
> Of course, you can replay them, resulting in a DOS. (I'll call
> this attack 6)
Wait for the signatures to also expire. The replayed DS
RRset will then be rejected. Pick your paranoia level.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop