[dns-operations] geant.org dnssec

Phil Regnauld regnauld at nsrc.org
Tue Feb 7 14:44:22 UTC 2017

Antoin Verschuren (dns) writes:
> > 
> > 	Assuming it's implemented correctly - in this case, going bogus because
> > 	of a bug in a signer is marginally better than being insecure for a short
> > 	time. Depends on the definition of "safer" :)
> If the error is in calculating the NSEC3 chain, then adding a DS and later removing the old DS so at least one DS remains will not change the NSEC3 chain, which is the hardest part of signing.

	Ok, thanks for the clarification.

> Once secure it’s hard to go back,  staying secure is always better ;-).


> Esspecially if your infrastructure depends on DNSSEC with DANE other security parameters in DNS.

	Very true.

> For a more readable motivation: https://www.sidnlabs.nl/downloads/wp_2013_EPP-keyrelay_v1.en.pdf

	Will read!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170207/2618e9b9/attachment.sig>

More information about the dns-operations mailing list