[dns-operations] geant.org dnssec

Antoin Verschuren dns at antoin.nl
Tue Feb 7 14:05:03 UTC 2017

Op 7 feb. 2017, om 14:28 heeft Phil Regnauld <regnauld at nsrc.org> het volgende geschreven:

> Antoin Verschuren (dns) writes:
>> https://www.ietf.org/id/draft-ietf-eppext-keyrelay-12.txt
>> It’s been successfully used in production with a number of .nl domains that do NSEC3 as well.
>> I’d say thats a safer alternative than going insecure.
> 	Assuming it's implemented correctly - in this case, going bogus because
> 	of a bug in a signer is marginally better than being insecure for a short
> 	time. Depends on the definition of "safer" :)

If the error is in calculating the NSEC3 chain, then adding a DS and later removing the old DS so at least one DS remains will not change the NSEC3 chain, which is the hardest part of signing.
I agree that there should be no error in calculating the chain anyway, but recalculating the complete NSEC3 chain with no white lies takes time most large parent zones have minimized with no room for error correction for the benefit of fast provisioning of new domains.

Once secure it’s hard to go back,  staying secure is always better ;-).
Esspecially if your infrastructure depends on DNSSEC with DANE other security parameters in DNS.

For a more readable motivation: https://www.sidnlabs.nl/downloads/wp_2013_EPP-keyrelay_v1.en.pdf

- --
Antoin Verschuren

Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170207/78f498a6/attachment.sig>

More information about the dns-operations mailing list