[Opendnssec-develop] RFC5011 not implemented

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Thu Oct 15 18:02:31 UTC 2009

Rickard Bondesson <rickard.bondesson at iis.se> wrote on 15/10/2009 15:45:10:

> Hi
> When going through the functionality of OpenDNSSEC, I see that we have 
> implemented RFC5011. And I think that it is nothing that you can code 
during a
> couple of hours and then be finished.
> Any comments?

You are right.  Although you can mess around with the key timing and 
safety margins to get the appropriate hold-down time before and after the 
key is used, I would think it needs a bit of work in both KASP and the 
signer to handle the revoke bit.  Ideally, we would want a <rfc5011/> 
option that would automatically modify any policy to operate within the 
constraints set by the RFC.

I suggest we put it on the feature list for 1.1.  It's too late to include 
it now.


BTW, I've just updated the key timing draft and included an interpretation 
of how RFC 5011 affects the key roll process - see 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091015/fe3a670c/attachment.htm>

More information about the Opendnssec-develop mailing list