[Opendnssec-develop] ZSK rollovers
matthijs at NLnetLabs.nl
Thu May 6 13:01:57 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Jakob Schlyter wrote:
> On 6 maj 2010, at 14.07, Matthijs Mekking wrote:
>> That rule implies that we always going to use double signature rollover
>> for KSKs and always going to use pre-publish key rollover for ZSKs
> for KSK, no - if you use a pre-publish key rollover for the KSK it works as well.
Sure, because you never reuse signatures in this special rule, you can
do every rollover you want.
> for ZSK, yes - but doing anything else for ZSK rollovers is IMHO just plain stupid.
I am not judging signing policies. I am worried about limiting
possibilities for OpenDNSSEC. It might be that I want to sign my small
zone with double signatures (don't care about the size). A new rollover
scheme might be introduced.
And thus we have key rollover assumptions in the signer engine which
breaks the original design (keep repeating it...). We can do it this
way, I just want to stress out the disadvantages.
> also, doing double signature rollovers with just one combined KSK/ZSK works as well but that is just absurd.
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop