Confirm
298
edits
Changes
m
→Security Considerations
Similarly, if the certificate can be checked against OCSP or a CRL, it should be. If the certificate has been revoked, the TLS session should not continue.
Currently there is no revocation mechanism for DNS keys or signatures. Most signatures are valid for 1 month, however, so if a key has been compromised, the window of opportunity for evildoers is short.One survey did come up with this, though: [http://secspider.cs.ucla.edu/images/key-lifetimes.png key signature lifetimes]
Configuration of DNSSEC is not significantly more difficult than configuring DNS. As long as private keys are not exposed, it would be difficult to configure DNSSEC in a way that is operable yet insecure.
