dnssec lookaside to dlv.isc.org broke recursion

Chris Thompson cet1 at cam.ac.uk
Sat Oct 25 19:27:06 UTC 2008


On Oct 24 2008, D. Stussy wrote, re the dlv.isc.org KSK,

>If isc.org is going to change it annually or so, fine, but then let them
>publish about 4 key-signing-keys, even if only one is actively used.  That
>would be 4 years worth of keys, which should be enough to cover 4+ years -
>long enough for ICANN to get off their asses and sign the root zone.

This doesn't make much (I am inclined to say "any") sense. Publishing the
keys subjects them to attack, whether they are used for signing or not.
The whole point of changing the keys regularly is to limit the time they
are exposed to such attack.

Also, 4 years is a long time in cryptographic techniques. Who is to say,
for example, whether a 2048-bit KSK will still be adequate after that long?

-- 
Chris Thompson
Email: cet1 at cam.ac.uk



More information about the bind-users mailing list