[Opendnssec-develop] ZSK rollovers
Jakob Schlyter
jakob at kirei.se
Thu May 6 14:20:17 UTC 2010
On 6 maj 2010, at 16.17, Matthijs Mekking wrote:
> I am getting confused more and more. But to be fair, the DNSKEY RRset is
> not that important if we talk about signature reusing.
as I think this is very clear, what is it that is confusing?
if we have
example.com. DNSKEY ksk1
DNSKEY zsk1
RRSIG ksk1
then add another ksk2, giving:
example.com. DNSKEY ksk1
DNSKEY ksk2
DNSKEY zsk1
RRSIG ksk1
the signer can (without any other infomration than the previously signed zone) detect that 'example.com RRSIG ksk2' is missing and drop the signature by ksk1. no?
jakob
More information about the Opendnssec-develop
mailing list