[Opendnssec-develop] ZSK rollovers
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu May 6 10:16:32 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sion Lloyd wrote:
>> The signer currently replaces signatures only if the keytag matches. For
>> example, in the current signer engine, Key 12345 will not replace old
>> signatures that were created with Key 67890.
>
> So in the unlikely event that you roll to a key with the same keytag we would see a gradual replacement of signatures?
Yes. This was already a known issue by the way.
>
>
> - - Now we have introduced assumptions about what rollover scheme is used
> into the signer engine. While it was explicitly designed *not* to know
> about.
>
> I think that we can cope with this. The enforcer should mark any key that should be used to sign as "active", then the signer doesn't need to know _why_ the key should be used, just that it should be.
That's ok. But the problem is the way the signer needs to replace
signatures:
- - In a pre-published rollover mechanism, you *don't* create a new
signature for the introduced key if there is a fresh signatures created
with a different key.
- - In a double signature rollover mechanism, you *do* create a new
signature for the introduced key if there is a fresh signatures created
with a different key.
Best regards,
Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJL4pbzAAoJEA8yVCPsQCW5PXIIANbkmmUXgobuTHzVJ3ONtO/W
/8gfJcrzRatTl5z07aUaazAhNfNsDy56zfhLwUmGO9my3oWo/mBe3uI/PtB8kkqs
IRp1AvXMLDyV4IyiWslvvLxJbs9yp6EI1vuljseNjDtnmXock81ndonL0pbBsD5U
COdINJY9k1h2Bhr5gH3p5IA0giPvwcJwMxX1QzZyeBpBeBix4SuEWBsxojHh/lbB
taSYyUoBPKKC5sr8EGeQZeFwDJUSrli6zuxNB5RQd18f5XQ3et0ijLLjiRElJQZp
mXutE5GMliJ2Ngm5Zee6Msv5KHXzYUd72A1PUz2sllzoCx8ZMcesZzhC9HUj23Q=
=qfd9
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list