[dns-operations] .fr has 5 DNSKEYs

Edward Lewis Ed.Lewis at neustar.biz
Wed Jun 1 16:59:45 UTC 2011

At 17:18 +0100 6/1/11, George Barwood wrote:

>The other point : is it true that after the detected compomise of a key,
>having a rescue key allows security to be restored faster.

Faster...than not having a rescue key?  Yes.

>You can start signing with rescue key, but the attacker can still
>forge responses until the old DNSKEY RRsets have expired. So that's
>not clear.

The goal is to 1) cause no more harm and 2) remove the old key's 
effectiveness as quickly as possible.  By not having a rescue key you 
have the choice to shock the system (violate #1) or introduce the new 
key gracefully (lengthen the time to achieve #2).

Keep in mind, a key compromise is not a universal event.  Only the 
targeted caches will be hit.  A forger still must provoke each 
intended victim into asking the right question, it could take time to 
hit a significant share of caches.
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?

More information about the dns-operations mailing list