[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: prohibiting use of expired RRSIGs

To: Mike StJohns <Mike.StJohns@nominum.com>
Subject: Re: prohibiting use of expired RRSIGs
From: Samuel Weiler <weiler@tislabs.com>
Date: Fri, 23 Jan 2004 14:06:48 +0100 (CET)
Cc: namedroppers@ops.ietf.org
In-reply-to: <6.0.1.1.2.20040116143609.02a21418@localhost>
References: <200401050759.i057xSMF006856@birch.ripe.net> <ilun0921jm2.fsf@latte.josefsson.org> <Pine.GSO.4.55.0401120406380.495@filbert> <Pine.GSO.4.55.0401142033400.7196@filbert> <Pine.GSO.4.55.0401142142540.12241@filbert> <Pine.GSO.4.55.0401151349150.16749@filbert> <6.0.1.1.2.20040116122716.02c77a08@localhost> <Pine.GSO.4.55.0401161413351.3612@filbert> <6.0.1.1.2.20040116143609.02a21418@localhost>

> MAY be configurable as to whether to accept expired records.  If
> configurable,  SHOULD be
> configurable to as to the maximum out of date expired records can be to be
> acceptable.  And if configurable, MUST default to not accepting expired
> records.

Much better, but this loses the main sentiment of the original,
namely that one MUST NOT or SHOULD NOT use out-of-date (expired or
not yet active) RRSIGs.  The text above would allow a non-configurable
resolver to accept out-of-date records.

I have a broader proposal, which I'm about to post.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: prohibiting use of expired RRSIGs
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- Reminder WGLC DNSSECvbis and NSEC++
  - From: Olaf Kolkman <olaf@ripe.net>
- Comments on draft-ietf-dnsext-nsec-rdata-03.txt
  - From: Simon Josefsson <jas@extundo.com>
- Re: Comments on draft-ietf-dnsext-nsec-rdata-03.txt
  - From: Samuel Weiler <weiler@tislabs.com>
- Explicit support for nsec-03
  - From: Samuel Weiler <weiler@tislabs.com>
- intro-08 WGLC comments
  - From: Samuel Weiler <weiler@tislabs.com>
- prohibiting use of expired RRSIGs
  - From: Samuel Weiler <weiler@tislabs.com>
- Re: prohibiting use of expired RRSIGs
  - From: Mike StJohns <Mike.StJohns@nominum.com>
- Re: prohibiting use of expired RRSIGs
  - From: Samuel Weiler <weiler@tislabs.com>
- Re: prohibiting use of expired RRSIGs
  - From: Mike StJohns <Mike.StJohns@nominum.com>

Prev by Date: RE: WGLC on DNSSEC bis document set
Next by Date: Re: TMM (too many mnemonics)
Previous by thread: Re: prohibiting use of expired RRSIGs
Next by thread: Re: prohibiting use of expired RRSIGs
Index(es):
- Date
- Thread