This is a discussion on comments on trustupdate-timers-04 - DNS ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have already sent purely editorial comments to MSJ. I have a problem with Section 2.3 Remove Hold-Down: "A new key which has been seen by the resolver, but hasn't reached it's add hold-down ...
-----BEGIN PGP SIGNED MESSAGE-----
I have already sent purely editorial comments to MSJ.
I have a problem with Section 2.3 Remove Hold-Down:
"A new key which has been seen by the resolver, but hasn't reached
it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
zone owner. If the resolver sees a validated DNSKEY RRSet without
this key, it waits for the remove hold-down time and then, if the key
hasn't reappeared, SHOULD discard any information about the key."
But the previous section (2.2) says:
"To mitigate, [blah blah blah] ...
If the resolver ever sees the DNSKEY RRSet
without the new key but validly signed, it stops the acceptance
process and resets the acceptance timer. If all of the keys which
were originally used to validate this key are revoked prior to the
timer expiring, the resolver stops the acceptance process and resets
So which is it? The resolver sees a new key, then gets an RRSet without
that key before the add-hold-down timer (acceptance time is reached).
You throw away all info about that key, or wait for another timer
(remove hold-down) to expire? I think it is the former. I think the
Remove Hold-Down timer is really supposed to be talking about keys
being REVOKED, not about new keys subsequently not appearing in
RRSets. Or is it something else altogether?
Other than this clarification, I support this draft being
advanced. FYI, I am currently working on an implementation
of this draft.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.