[Opendnssec-develop] ZSK rollovers
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu May 6 12:07:26 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That rule implies that we always going to use double signature rollover
for KSKs and always going to use pre-publish key rollover for ZSKs
Best regards,
Matthijs
Jakob Schlyter wrote:
> On 6 maj 2010, at 12.16, Matthijs Mekking wrote:
>
>> That's ok. But the problem is the way the signer needs to replace
>> signatures:
>>
>> - - In a pre-published rollover mechanism, you *don't* create a new
>> signature for the introduced key if there is a fresh signatures created
>> with a different key.
>>
>> - - In a double signature rollover mechanism, you *do* create a new
>> signature for the introduced key if there is a fresh signatures created
>> with a different key.
>
> doesn't my rule:
>
> - If the RRSIG covers a DNSKEY and the set of RRSIGs (using the same algorithm)
> does not include signatures by all keys marked as KSK, RRSIGs for that
> DNSKEY may not be recycled.
>
> handle this automagically? this way you can recycle RRSIG DNSKEY, but you don't in case when a new KSK appears.
>
>
> jakob
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJL4rD0AAoJEA8yVCPsQCW56M8H/2vhUR83bKQk5/00XCQ6fI8W
4oqnLUI5e5sOSw1Cl/4yfJocqstH2EauqgIm5QYpOvBcI4DDUZmnVk3Qut7lJNNm
clVNZZMRMr9RZn+Q9y9oLZ+xhBSvKR4mNfFMj8ekUaLOwoVAxKvQUpIyPb+1YyNd
JiCcYfqatDHxPwdTBh4OO+BwTUSy4ApIyo1oBQDNkyGpB170/ah8bEl5AZ5O6C+G
38z5/qpUIWS9eLfD9HstDHVnoxI2bfMDyow7UQiSLMllmoVE0lwPfsR7aYdItgBn
+waG58OYOSkCUDrSI2oD2tPaPOvmR8B90QIm7Qzr+kR4PIRGNDCpTxBYvQ6/QPQ=
=6/0n
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list