[Opendnssec-develop] RFC5011 not implemented
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Thu Oct 15 18:02:31 UTC 2009
Rickard Bondesson <rickard.bondesson at iis.se> wrote on 15/10/2009 15:45:10:
> Hi
>
> When going through the functionality of OpenDNSSEC, I see that we have
not
> implemented RFC5011. And I think that it is nothing that you can code
during a
> couple of hours and then be finished.
>
> Any comments?
You are right. Although you can mess around with the key timing and
safety margins to get the appropriate hold-down time before and after the
key is used, I would think it needs a bit of work in both KASP and the
signer to handle the revoke bit. Ideally, we would want a <rfc5011/>
option that would automatically modify any policy to operate within the
constraints set by the RFC.
I suggest we put it on the feature list for 1.1. It's too late to include
it now.
Stephen
BTW, I've just updated the key timing draft and included an interpretation
of how RFC 5011 affects the key roll process - see
http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091015/fe3a670c/attachment.htm>
More information about the Opendnssec-develop
mailing list