[Opendnssec-develop] Fw: [Opendnssec-user] auditor and rollover
Alexd at nominet.org.uk
Alexd at nominet.org.uk
Fri Mar 26 11:59:40 UTC 2010
> > Gilles is having problems because the auditor is complaining that
> RRSIGs do not include those for the algorithm of a retired key. So,
should :
> >
> > a) the auditor not complain about missing RRSIGs for algorithms
> for which all keys in the zone have been retired (although still
> published)? or
> > b) the zone not include keys with algorithms for which there are no
RRSIGs?
>
> RFC4035 - Section 2.2
> ----
> There MUST be an RRSIG for each RRset using at least one DNSKEY of
> each algorithm in the zone apex DNSKEY RRset.
> ----
>
> Does this mean the following?:
>
> * Rolling to a new ZSK algorithm: The prepublished ZSK must sign
> the DNSKEY RRset until we can sign the rest of the zone with the
> ZSK, once it is ready.
>
> * We cannot roll both the KSK and ZSK to a new algorithm at the
> same time (retiring them at the same time), since the old KSK
> algorithm must sign the DNSKEY RRset until the old ZSK does not need
> to be postpublished.
Anyone?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100326/25931695/attachment.htm>
More information about the Opendnssec-develop
mailing list