[Opendnssec-develop] Key removal
Rick van Rein
rick at openfortress.nl
Tue Feb 24 10:11:38 UTC 2009
Hello,
> I say if there are any signatures remaining from an old key, you have
> (at least) two choices:
> * Remove all signatures corresponding to the old key.
> * Keep these signatures until its lifetime exceeded and they still
> validate.
I see a third option:
* Keep these signatures until timing parameters of DNS establish that
no cache can hold those signatures.
This assumes that some parties could have cached the old key and have not
felt a need to upgrade, but for newly accessed parts of a zone they would
still fetch new records with new signatures.
Cheers,
-Rick
More information about the Opendnssec-develop
mailing list