[dns-operations] .fr has 5 DNSKEYs
Edward Lewis
Ed.Lewis at neustar.biz
Wed Jun 1 16:59:45 UTC 2011
At 17:18 +0100 6/1/11, George Barwood wrote:
>The other point : is it true that after the detected compomise of a key,
>having a rescue key allows security to be restored faster.
Faster...than not having a rescue key? Yes.
>You can start signing with rescue key, but the attacker can still
>forge responses until the old DNSKEY RRsets have expired. So that's
>not clear.
The goal is to 1) cause no more harm and 2) remove the old key's
effectiveness as quickly as possible. By not having a rescue key you
have the choice to shock the system (violate #1) or introduce the new
key gracefully (lengthen the time to achieve #2).
Keep in mind, a key compromise is not a universal event. Only the
targeted caches will be hit. A forger still must provoke each
intended victim into asking the right question, it could take time to
hit a significant share of caches.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?
More information about the dns-operations
mailing list