Security/DNSSEC-TLS: Difference between revisions

Jump to navigation Jump to search

Security/DNSSEC-TLS (view source)

Revision as of 18:51, 30 June 2011

122 bytes added ,  30 June 2011
m
→‎Security Considerations
Line 61: Line 61:
Similarly, if the certificate can be checked against OCSP or a CRL, it should be. If the certificate has been revoked, the TLS session should not continue.
Similarly, if the certificate can be checked against OCSP or a CRL, it should be. If the certificate has been revoked, the TLS session should not continue.


Currently there is no revocation mechanism for DNS keys or signatures. Most signatures are valid for 1 month, however, so if a key has been compromised, the window of opportunity for evildoers is short.
Currently there is no revocation mechanism for DNS keys or signatures. Most signatures are valid for 1 month, however, so if a key has been compromised, the window of opportunity for evildoers is short. One survey did come up with this, though: [http://secspider.cs.ucla.edu/images/key-lifetimes.png key signature lifetimes]


Configuration of DNSSEC is not significantly more difficult than configuring DNS. As long as private keys are not exposed, it would be difficult to configure DNSSEC in a way that is operable yet insecure.
Configuration of DNSSEC is not significantly more difficult than configuring DNS. As long as private keys are not exposed, it would be difficult to configure DNSSEC in a way that is operable yet insecure.
Dkeeler
Confirmed users
299

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/324248"

Navigation menu