[Opendnssec-develop] ZSK rollovers

Matthijs Mekking matthijs at NLnetLabs.nl
Thu May 6 13:14:04 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jakob Schlyter wrote:
> On 6 maj 2010, at 15.01, Matthijs Mekking wrote:
>>>> That rule implies that we always going to use double signature rollover
>>>> for KSKs and always going to use pre-publish key rollover for ZSKs
>>> for KSK, no - if you use a pre-publish key rollover for the KSK it works as well.
>> Sure, because you never reuse signatures in this special rule, you can
>> do every rollover you want.
> 
> the idea is to reuse signatures as long as the set of key signing keys is unchanged.

So I have to keep a list of of previous key signing keys?
Or check the previous signatures to the current key signing keys?
Is it worth it to save creating two signatures for the DNSKEY RRset?

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL4sCaAAoJEA8yVCPsQCW5JVkH/jJ3H7Dk2KvS6bZsAJJ9p0dW
gkI8L3JoZh9lDCna93ntVZXu3sc/LypfDApUU/0QEcZ6fgLViuHGZzzv4JeqBGKh
ZCJ0/xDX/3In5OFpj2aBV2qdye4J0tAYExqcxqIBKLOj3BIUztQzxcAHdV9sPScs
IQfTvNc/cjMyCf7+MV/5LSUptfKruuSMHK/UldDnlBOyCOvwoBeffHKsvQEMQVV6
0z2onz2TVqaFLsDJAzKaAjcNOu6WOxaZ2CHyf3a92SEqDih8TCvrSNd9B3UG3ANs
3y/DnhTABIyQDuPOVPmd11PRsJadGtejOWh3hMENM7jaT1J2cyLjeqWxJMhhJLw=
=A3Lu
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list