[Opendnssec-develop] Discarding RRSIG from input zone
rickard.bellgrim at iis.se
Fri Oct 30 08:45:34 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> The only reason I can think of keeping the RRSIG is that if a zone
> changes ownership (from zone administrator A to B), and you want it to
> keep the zone secure (not drop back to unsigned), you need to publish
> signatures of the other party.
> But in that case, only the signature of the DNSKEY RRset is necessary.
I am using the zone http://trac.opendnssec.org/browser/trunk/testing/zonedatatest/all.rr.org where I have a RRSIG for a A RR, which does not exist. Another interesting thing is that the Signer creates a RRSIG for this RRSIG.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop