[Opendnssec-develop] Key removal
matthijs at NLnetLabs.nl
Thu Feb 19 13:45:55 UTC 2009
John Dickinson wrote:
> It still does but since the Enforcer can not see the signed zone it will
> not "know" how the signer is doing the signing (i.e. replacing all RRSIG
> every time or just signing new stuff and expiring RRSIGS) and if there
> are any signatures remaining from an old key.
I say if there are any signatures remaining from an old key, you have
(at least) two choices:
* Remove all signatures corresponding to the old key.
* Keep these signatures until its lifetime exceeded and they still
However, the Signer Engine should not generate new signatures anymore.
Therefore it will have to
> calculate from the KASP signature parameters when it is safe to stop
> publishing the old key. Something along the lines of the key must
> continue to be published for at least signature lifetime + TTLsig +
> clockskew (this equation is not correct, needs work and is what got me
> thinking this in the first place). This equation depends largely on
> parameters related to signatures and so I wondered if that indicated
> that it might be in the signers realm of responsibility.
I prefer this to be optional. When KASP tells us not to use a key for
signing/publishing anymore, it should be safe to stop publishing the old
> However you all seem to be in agreement that the Enforcer should do it
> and I am happy with that.
> John Dickinson
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 544 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-develop