[Opendnssec-develop] review: Signature recycle etc.
sion at nominet.org.uk
Thu Sep 30 09:00:41 UTC 2010
> > New rule:
> > If there are not enough valid signatures, additional signatures
> > must be created. The DNSKEY RRset MUST have equally number of
> > signatures as there are active KSKs. Every other RRset MUST have
> > equally number of signatures as there are active ZSKs.
> this sounds more like a rule for an enforcer, than a rule for a signer,
The enforcer decides which keys should be used/published. It never sees the signed zones and knows nothing about signatures.
More information about the Opendnssec-develop