[dns-operations] geant.org dnssec
regnauld at nsrc.org
Tue Feb 7 14:44:22 UTC 2017
Antoin Verschuren (dns) writes:
> > Assuming it's implemented correctly - in this case, going bogus because
> > of a bug in a signer is marginally better than being insecure for a short
> > time. Depends on the definition of "safer" :)
> If the error is in calculating the NSEC3 chain, then adding a DS and later removing the old DS so at least one DS remains will not change the NSEC3 chain, which is the hardest part of signing.
Ok, thanks for the clarification.
> Once secure it’s hard to go back, staying secure is always better ;-).
> Esspecially if your infrastructure depends on DNSSEC with DANE other security parameters in DNS.
> For a more readable motivation: https://www.sidnlabs.nl/downloads/wp_2013_EPP-keyrelay_v1.en.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: not available
More information about the dns-operations