[Opendnssec-develop] review: Signature recycle etc.

Sion Lloyd sion at nominet.org.uk
Thu Sep 30 09:00:41 UTC 2010


> > New rule:
> >  If there are not enough valid signatures, additional signatures
> >  must be created. The DNSKEY RRset MUST have equally number of
> >  signatures as there are active KSKs. Every other RRset MUST have
> >  equally number of signatures as there are active ZSKs.
> 
> this sounds more like a rule for an enforcer, than a rule for a signer,
> no?

The enforcer decides which keys should be used/published. It never sees the signed zones and knows nothing about signatures.



More information about the Opendnssec-develop mailing list