[dns-operations] .fr has 5 DNSKEYs
Ed.Lewis at neustar.biz
Wed Jun 1 16:59:45 UTC 2011
At 17:18 +0100 6/1/11, George Barwood wrote:
>The other point : is it true that after the detected compomise of a key,
>having a rescue key allows security to be restored faster.
Faster...than not having a rescue key? Yes.
>You can start signing with rescue key, but the attacker can still
>forge responses until the old DNSKEY RRsets have expired. So that's
The goal is to 1) cause no more harm and 2) remove the old key's
effectiveness as quickly as possible. By not having a rescue key you
have the choice to shock the system (violate #1) or introduce the new
key gracefully (lengthen the time to achieve #2).
Keep in mind, a key compromise is not a universal event. Only the
targeted caches will be hit. A forger still must provoke each
intended victim into asking the right question, it could take time to
hit a significant share of caches.
NeuStar You can leave a voice message at +1-571-434-5468
Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?
More information about the dns-operations