[Opendnssec-develop] RFC5011 not implemented

Rickard Bondesson rickard.bondesson at iis.se
Thu Oct 15 19:29:56 UTC 2009


And then you also have section "6.6. Trust Point Deletion" which requires operator interaction before the key is added to the zone.

So for now I think we need to put a comment in the rng that says that it is not implented yet.

15 okt 2009 kl. 20.03 skrev "Stephen.Morris at nominet.org.uk<mailto:Stephen.Morris at nominet.org.uk>" <Stephen.Morris at nominet.org.uk<mailto:Stephen.Morris at nominet.org.uk>>:

Rickard Bondesson <rickard.bondesson at iis.se<mailto:rickard.bondesson at iis.se>> wrote on 15/10/2009 15:45:10:

> Hi
>
> When going through the functionality of OpenDNSSEC, I see that we have not
> implemented RFC5011. And I think that it is nothing that you can code during a
> couple of hours and then be finished.
>
> Any comments?

You are right.  Although you can mess around with the key timing and safety margins to get the appropriate hold-down time before and after the key is used, I would think it needs a bit of work in both KASP and the signer to handle the revoke bit.  Ideally, we would want a <rfc5011/> option that would automatically modify any policy to operate within the constraints set by the RFC.

I suggest we put it on the feature list for 1.1.  It's too late to include it now.

Stephen

BTW, I've just updated the key timing draft and included an interpretation of how RFC 5011 affects the key roll process - see http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091015/e6156f42/attachment.htm>


More information about the Opendnssec-develop mailing list