[Opendnssec-develop] review: Signature recycle etc.
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed Sep 29 13:44:26 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In Recycling RRSIGs:
A signature may NOT be recycled if:
* the signature is made by a key marked as Deactivate.
I don't think we need a Deactivate flag for this. We proposed Deactivate
for Double signature rollover, to enforce creating a
new signature with the newly included key. Instead, I want to propose
an additional rule under Generated RRSIGs.
In Generated RRSIGs:
New rule:
If there are not enough valid signatures, additional signatures
must be created. The DNSKEY RRset MUST have equally number of
signatures as there are active KSKs. Every other RRset MUST have
equally number of signatures as there are active ZSKs.
This allows for a smooth transition between the various steps in
pre-published key rollover. There can be signatures of key N in the
zone, while key N is retired and key N+1 is active.
This allows for a fast transition when double signature key rollover is
used. When key N+1 is introduced (being published and active, just like
key N), RRsets signed by these keys require two signatures. Signature
from key N may be reused, while signature of key N+1 needs to be added.
Best regards,
Matthijs
On 09/29/2010 02:48 PM, Jakob Schlyter wrote:
> please review http://trac.opendnssec.org/wiki/Signer/Signatures.
>
> j
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMo0K6AAoJEA8yVCPsQCW5rY4IANBwVLsYalZEQ0nOXg6ucyGQ
GjdAB6P79HAQYWceejx5/oy9Ls8BVUfif9qU02FdvUt1wMv+FseC/xifbmc0z1Ad
I/pDmMhT5QAscBw8D5+eEmzGzp5qyErcSh7aaULl7MFAn3k6XzRsyOtCDLMaTTWN
zdEQLGVVHYcF3XoSu6gJ9WHQcj/YAqIMnSg7107hHa0rQwVcQOiCHT4fD96hlYbc
AVJv3M3K6B8gIOF2LZ5LyOokXd4xdyiNdbxLJH8pJCzwbQJ8sWENOFVeYPrF8dNV
6OqjYKvkxd3Kx3Yv4F462Qkn/Np7f9yHLdWMdpy1DC2bxxTPBt4BtRTrvZklyFQ=
=ROsw
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list