[Opendnssec-develop] Discarding RRSIG from input zone
Matthijs Mekking
matthijs at NLnetLabs.nl
Fri Oct 30 08:31:52 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The only reason I can think of keeping the RRSIG is that if a zone
changes ownership (from zone administrator A to B), and you want it to
keep the zone secure (not drop back to unsigned), you need to publish
signatures of the other party.
But in that case, only the signature of the DNSKEY RRset is necessary.
Matthijs
Rickard Bellgrim wrote:
> Hi
>
> The requirements says that "the signer MUST discard all DNSSEC RRs
> (except DNSKEY RRs) from the input data."
>
> I see that the Signer Engine is keeping the RRSIG (which does not belong
> to any RR). Is this a feature or a bug?
>
- ------------------------------------------------------------------------
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJK6qRxAAoJEA8yVCPsQCW5t5sH/0hNsuLSCZSCy5IyWOeVgjvb
AXsicg9DCvKDjCd1/0UcTnH+WRBFyR0WtMxoENz2Oyhg9wt2t0Pgtlu5kwBpXc5r
d7D7riySnRkKtqYNqn9US6/cICEJlB0o4Sxn1zpfBmBcqO7jwXU15tbpos5rbwRb
iONeEyRZg//0z70X82eqaMmGBd/DTn7+Wc7cOT/nhwHgp6MOhgN0pELoidp2tcx4
mmBRUuXZw7ZAoyn/jgPUpj77fUEoKuMT2y2cD3sens9kobThe84PlWcKCHiaohdO
uu2JHNl97nByun+Mab6Ir/xZJyXdCVEY/M9uA2vY46zXvj5yRnw13UrOaxpU8a0=
=FzqN
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list