[Opendnssec-develop] ZSK rollovers

Matthijs Mekking matthijs at NLnetLabs.nl
Thu May 6 13:01:57 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jakob Schlyter wrote:
> On 6 maj 2010, at 14.07, Matthijs Mekking wrote:
> 
>> That rule implies that we always going to use double signature rollover
>> for KSKs and always going to use pre-publish key rollover for ZSKs
> 
> for KSK, no - if you use a pre-publish key rollover for the KSK it works as well.

Sure, because you never reuse signatures in this special rule, you can
do every rollover you want.

> for ZSK, yes - but doing anything else for ZSK rollovers is IMHO just plain stupid.

I am not judging signing policies. I am worried about limiting
possibilities for OpenDNSSEC. It might be that I want to sign my small
zone with double signatures (don't care about the size). A new rollover
scheme might be introduced.

And thus we have key rollover assumptions in the signer engine which
breaks the original design (keep repeating it...). We can do it this
way, I just want to stress out the disadvantages.


Best regards,

Matthijs

> also, doing double signature rollovers with just one combined KSK/ZSK works as well but that is just absurd.
> 
> 	jakob
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL4r3CAAoJEA8yVCPsQCW5Z90H/igfMEWqlaOAKyL0DIfKovLM
2Ty3PFTizer1/l6POKBqoTkRpAxX+hT5K1vtph/JZg/C05duPtyV06GJ0JCvBHWp
Vgh7l7fXE4MMjFFR2ZLEpmU2aPN+yGx5l0dAHSzLanIl00lRCbCewzeCF5EjAWtM
0zPEmzXYBQKAfZgVTLEX+ToW/dXpO+sBMXZoeBx0VvhAd+Ruy4/gCw5Emm3L/QoK
RwuWyinRpkgut8ZcgCPQEBCP9Q/NS+163msUudpHQG8Qke3IFPDiQD7dmbjFfi27
8zC4o34OUCkEHAAM4fwemxhNaY96XApJUS5c5XtdtNjPTvSNcHYV5uSJrXwpzhQ=
=MzLU
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list