[Opendnssec-develop] ZSK rollovers
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu May 6 14:17:57 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am getting confused more and more. But to be fair, the DNSKEY RRset is
not that important if we talk about signature reusing.
Matthijs
Jakob Schlyter wrote:
> On 6 maj 2010, at 15.14, Matthijs Mekking wrote:
>
>>> the idea is to reuse signatures as long as the set of key signing keys is unchanged.
>> So I have to keep a list of of previous key signing keys?
>> Or check the previous signatures to the current key signing keys?
>> Is it worth it to save creating two signatures for the DNSKEY RRset?
>
> if the set of keys used to create the DNSKEY RRSIG RRset is not the same as the set of keys marked as <KSK>, you drop the signatures are recreate them.
>
> jakob
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJL4s+TAAoJEA8yVCPsQCW5cRYIAM2hr5RQVSqq1wvxB2NrquzA
fmpe0JZwxVu2VpFZsC3PxG/mcDEtmsMoA382vPvtXdIQvejQOVUlr+UUBHcKo6ce
iHh0IOMHFGjP0KHCH1RFb3SzGoWZqUxcxnj7/yksYnP/QLN4r0ko+WpwjKjaF+Qa
2hzpt0BYzZ/pgdlufdwmxGcCnWEPTuqANkM1/ZYgwFynF/1iuX+wiRBBTbkgYjGZ
t3Fc/t9RLfsGubkqh9dUS5+msnUrKSGyhXG/AJ0msJalCY8SgKEptgB+51JbAJVW
XPFqP+leLosW9IvJc9Gnk1STQIdIPjNhKFtvW6J/a3kY7Vw1U+1EtX5YJAOyjlc=
=EcUK
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list