[Opendnssec-develop] Key removal

Rick van Rein rick at openfortress.nl
Tue Feb 24 10:11:38 UTC 2009


> I say if there are any signatures remaining from an old key, you have
> (at least) two choices:
> * Remove all signatures corresponding to the old key.
> * Keep these signatures until its lifetime exceeded and they still
>   validate.

I see a third option:

* Keep these signatures until timing parameters of DNS establish that
  no cache can hold those signatures.

This assumes that some parties could have cached the old key and have not
felt a need to upgrade, but for newly accessed parts of a zone they would
still fetch new records with new signatures.


More information about the Opendnssec-develop mailing list