[Opendnssec-develop] Discarding RRSIG from input zone

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Oct 30 08:45:34 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The only reason I can think of keeping the RRSIG is that if a zone
> changes ownership (from zone administrator A to B), and you want it to
> keep the zone secure (not drop back to unsigned), you need to publish
> signatures of the other party.
>
> But in that case, only the signature of the DNSKEY RRset is necessary.

I am using the zone http://trac.opendnssec.org/browser/trunk/testing/zonedatatest/all.rr.org where I have a RRSIG for a A RR, which does not exist. Another interesting thing is that the Signer creates a RRSIG for this RRSIG.

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSuqnruCjgaNTdVjaAQg3ygf/eYvtRacGXfI9F5m6fwtqKmXRTziPOz7a
Zh3Na+mbm+2wqTUaNnyO8ff4N9ehKelVIpcmYmy5Cq9ZwUzQqEdIP1ZM7FFGrC7A
ACRYNSUKd7QvouM48K/gHXjVatdjwZ5aF/wlLmcQAUNTzKDjFnWTbIigw5aOvdgF
gJ8ReK9kLRVe1VA0zBVBDici/+GkcaTfEqB7IAWKpjWLx/uNf5pC2TWMbu3XKzyL
869lVLi4hdrkQAoUVM35upstL+M9Pa6HjRrr+fKvhZ6fE9LX85ZMhifDzuZIDd8T
3NV3olPVOMrNf/Gc5vBp82J9OM+BN9rJkFIsUZBlPsMfp9ihZDKJtQ==
=akHZ
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091030/1d76dae8/attachment.htm>


More information about the Opendnssec-develop mailing list