| ▲ | pocksuppet 5 hours ago |
| I must be early. There's not a single tptacek DNSSEC rant in this thread yet. |
|
| ▲ | tptacek 3 hours ago | parent | next [-] |
| What would I need to rant about? Sometimes the world does my ranting for me. |
|
| ▲ | apaprocki 3 hours ago | parent | prev | next [-] |
| Maybe he drank a little too much Malört with the DENIC team last night? |
|
| ▲ | aberoham 4 hours ago | parent | prev | next [-] |
| He’s busy with MathAcademy earning XP-SEC |
|
| ▲ | 0123456789ABCDE 4 hours ago | parent | prev | next [-] |
| doesn't this event speak for itself though? |
| |
| ▲ | Avamander 4 hours ago | parent [-] | | Kind-of. But there are worse things than outages when it's PKIs we're talking about. DNSSEC is also extremely opaque and unmonitored. Any compromise will not be noticed. Nor will anyone have any recourse against misbehaving roots. Fun fact, CloudFlare has used the same KSK for zones it serves more than a decade now. | | |
| ▲ | daneel_w 2 hours ago | parent [-] | | Which is fine. Not because KSK rollover is supposedly complicated, but if you can't manage to keep your private keys and PKI safe in the first place then key rotation is just a security circus trick. But if you do know how to keep them safe, then... | | |
| ▲ | Avamander 2 hours ago | parent [-] | | It is not fine. Keeping key material safe is not a boolean between "permanently safe" and "leaks immediately". Keeping key material secure for more than a decade while it's in active use is vastly more complex than keeping it secure for a month, until it rotates. For all we know, some ex-employee might be walking around with that KSK, theoretically being able to use it for god knows what for an another decade. |
|
|
|
|
| ▲ | mike-cardwell 4 hours ago | parent | prev [-] |
| Perhaps he's moribund |
| |
