[Opendnssec-develop] review: Signature recycle etc.
matthijs at NLnetLabs.nl
Wed Sep 29 13:44:26 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
In Recycling RRSIGs:
A signature may NOT be recycled if:
* the signature is made by a key marked as Deactivate.
I don't think we need a Deactivate flag for this. We proposed Deactivate
for Double signature rollover, to enforce creating a
new signature with the newly included key. Instead, I want to propose
an additional rule under Generated RRSIGs.
In Generated RRSIGs:
If there are not enough valid signatures, additional signatures
must be created. The DNSKEY RRset MUST have equally number of
signatures as there are active KSKs. Every other RRset MUST have
equally number of signatures as there are active ZSKs.
This allows for a smooth transition between the various steps in
pre-published key rollover. There can be signatures of key N in the
zone, while key N is retired and key N+1 is active.
This allows for a fast transition when double signature key rollover is
used. When key N+1 is introduced (being published and active, just like
key N), RRsets signed by these keys require two signatures. Signature
from key N may be reused, while signature of key N+1 needs to be added.
On 09/29/2010 02:48 PM, Jakob Schlyter wrote:
> please review http://trac.opendnssec.org/wiki/Signer/Signatures.
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop