<tt><font size=2>Rickard Bondesson <rickard.bondesson@iis.se> wrote
on 15/10/2009 15:45:10:<br>
<br>
> Hi</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> When going through the functionality of OpenDNSSEC,
I see that we have not <br>
> implemented RFC5011. And I think that it is nothing that you can code
during a<br>
> couple of hours and then be finished.</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> Any comments?</font></tt>
<br>
<br><tt><font size=2>You are right. Although you can mess around
with the key timing and safety margins to get the appropriate hold-down
time before and after the key is used, I would think it needs a bit of
work in both KASP and the signer to handle the revoke bit. Ideally,
we would want a <rfc5011/> option that would automatically modify
any policy to operate within the constraints set by the RFC.</font></tt>
<br>
<br><tt><font size=2>I suggest we put it on the feature list for 1.1. It's
too late to include it now.</font></tt>
<br>
<br><tt><font size=2>Stephen</font></tt>
<br>
<br><tt><font size=2>BTW, I've just updated the key timing draft and included
an interpretation of how RFC 5011 affects the key roll process - see </font></tt><a href="http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01"><tt><font size=2>http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01</font></tt></a><tt><font size=2>.
</font></tt>