[Opendnssec-develop] ZSK rollovers

Jakob Schlyter jakob at kirei.se
Thu May 6 14:02:00 UTC 2010

On 6 maj 2010, at 15.14, Matthijs Mekking wrote:

>> the idea is to reuse signatures as long as the set of key signing keys is unchanged.
> So I have to keep a list of of previous key signing keys?
> Or check the previous signatures to the current key signing keys?
> Is it worth it to save creating two signatures for the DNSKEY RRset?

if the set of keys used to create the DNSKEY RRSIG RRset is not the same as the set of keys marked as <KSK>, you drop the signatures are recreate them.


More information about the Opendnssec-develop mailing list