[Opendnssec-develop] review: Signature recycle etc.

Jakob Schlyter jakob at kirei.se
Thu Sep 30 09:02:40 UTC 2010


On 30 sep 2010, at 11.00, Sion Lloyd wrote:

>>> New rule:
>>> If there are not enough valid signatures, additional signatures
>>> must be created. The DNSKEY RRset MUST have equally number of
>>> signatures as there are active KSKs. Every other RRset MUST have
>>> equally number of signatures as there are active ZSKs.
>> 
>> this sounds more like a rule for an enforcer, than a rule for a signer,
>> no?
> 
> The enforcer decides which keys should be used/published. It never sees the signed zones and knows nothing about signatures.

sure, but it does choose what keys should sign the zone. I'd like that decision to made by the enforcer, not giving the signer much options.

	j




More information about the Opendnssec-develop mailing list