[Opendnssec-develop] ZSK rollovers
Jakob Schlyter
jakob at kirei.se
Thu May 6 10:45:41 UTC 2010
On 6 maj 2010, at 12.16, Matthijs Mekking wrote:
> That's ok. But the problem is the way the signer needs to replace
> signatures:
>
> - - In a pre-published rollover mechanism, you *don't* create a new
> signature for the introduced key if there is a fresh signatures created
> with a different key.
>
> - - In a double signature rollover mechanism, you *do* create a new
> signature for the introduced key if there is a fresh signatures created
> with a different key.
doesn't my rule:
- If the RRSIG covers a DNSKEY and the set of RRSIGs (using the same algorithm)
does not include signatures by all keys marked as KSK, RRSIGs for that
DNSKEY may not be recycled.
handle this automagically? this way you can recycle RRSIG DNSKEY, but you don't in case when a new KSK appears.
jakob
More information about the Opendnssec-develop
mailing list