[dns-operations] geant.org dnssec
Phil Regnauld
regnauld at nsrc.org
Tue Feb 7 14:44:22 UTC 2017
Antoin Verschuren (dns) writes:
> >
> > Assuming it's implemented correctly - in this case, going bogus because
> > of a bug in a signer is marginally better than being insecure for a short
> > time. Depends on the definition of "safer" :)
>
> If the error is in calculating the NSEC3 chain, then adding a DS and later removing the old DS so at least one DS remains will not change the NSEC3 chain, which is the hardest part of signing.
Ok, thanks for the clarification.
> Once secure it’s hard to go back, staying secure is always better ;-).
:)
> Esspecially if your infrastructure depends on DNSSEC with DANE other security parameters in DNS.
Very true.
> For a more readable motivation: https://www.sidnlabs.nl/downloads/wp_2013_EPP-keyrelay_v1.en.pdf
Will read!
Thanks,
Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170207/2618e9b9/attachment.sig>
More information about the dns-operations
mailing list