[Opendnssec-develop] ZSK rollovers

[Matthijs Mekking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sion Lloyd wrote:
>> The signer currently replaces signatures only if the keytag matches. For
>> example, in the current signer engine, Key 12345 will not replace old
>> signatures that were created with Key 67890.
> 
> So in the unlikely event that you roll to a key with the same keytag we would see a gradual replacement of signatures?

Yes. This was already a known issue by the way.

> 
> 
> - - Now we have introduced assumptions about what rollover scheme is used
> into the signer engine. While it was explicitly designed *not* to know
> about.
> 
> I think that we can cope with this. The enforcer should mark any key that should be used to sign as "active", then the signer doesn't need to know _why_ the key should be used, just that it should be.

That's ok. But the problem is the way the signer needs to replace
signatures:

- - In a pre-published rollover mechanism, you *don't* create a new
signature for the introduced key if there is a fresh signatures created
with a different key.

- - In a double signature rollover mechanism, you *do* create a new
signature for the introduced key if there is a fresh signatures created
with a different key.


Best regards,

Matthijs



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL4pbzAAoJEA8yVCPsQCW5PXIIANbkmmUXgobuTHzVJ3ONtO/W
/8gfJcrzRatTl5z07aUaazAhNfNsDy56zfhLwUmGO9my3oWo/mBe3uI/PtB8kkqs
IRp1AvXMLDyV4IyiWslvvLxJbs9yp6EI1vuljseNjDtnmXock81ndonL0pbBsD5U
COdINJY9k1h2Bhr5gH3p5IA0giPvwcJwMxX1QzZyeBpBeBix4SuEWBsxojHh/lbB
taSYyUoBPKKC5sr8EGeQZeFwDJUSrli6zuxNB5RQd18f5XQ3et0ijLLjiRElJQZp
mXutE5GMliJ2Ngm5Zee6Msv5KHXzYUd72A1PUz2sllzoCx8ZMcesZzhC9HUj23Q=
=qfd9
-----END PGP SIGNATURE-----