[Opendnssec-develop] Fw: [Opendnssec-user] auditor and rollover

Alexd at nominet.org.uk Alexd at nominet.org.uk
Fri Mar 26 11:59:40 UTC 2010

> > Gilles is having problems because the auditor is complaining that 
> RRSIGs do not include those for the algorithm of a retired key. So, 
should : 
> > 
> > a) the auditor not complain about missing RRSIGs for algorithms 
> for which all keys in the zone have been retired (although still 
> published)? or 
> > b) the zone not include keys with algorithms for which there are no 
> RFC4035 - Section 2.2
> ----
> There MUST be an RRSIG for each RRset using at least one DNSKEY of 
> each algorithm in the zone apex DNSKEY RRset.
> ----
> Does this mean the following?:
>  * Rolling to a new ZSK algorithm: The prepublished ZSK must sign 
> the DNSKEY RRset until we can sign the rest of the zone with the 
> ZSK, once it is ready.
>  * We cannot roll both the KSK and ZSK to a new algorithm at the 
> same time (retiring them at the same time), since the old KSK 
> algorithm must sign the DNSKEY RRset until the old ZSK does not need
> to be postpublished.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100326/25931695/attachment.htm>

More information about the Opendnssec-develop mailing list