[Opendnssec-develop] review: Signature recycle etc.
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Sep 30 13:09:58 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What I am trying to enforce with this rule is:
If the enforcer decides we should use n KSKs, the signer should make
sure that n signatures exist in the zone that cover the DNSKEY RRset.
If the enforcer decides we should use n ZSKs, the signer should make
sure that for every non-DNSKEY RRset n signatures exist in the zone.
Best regards,
Matthijs
On 09/30/2010 11:02 AM, Jakob Schlyter wrote:
> On 30 sep 2010, at 11.00, Sion Lloyd wrote:
>
>>>> New rule:
>>>> If there are not enough valid signatures, additional signatures
>>>> must be created. The DNSKEY RRset MUST have equally number of
>>>> signatures as there are active KSKs. Every other RRset MUST have
>>>> equally number of signatures as there are active ZSKs.
>>>
>>> this sounds more like a rule for an enforcer, than a rule for a signer,
>>> no?
>>
>> The enforcer decides which keys should be used/published. It never sees the signed zones and knows nothing about signatures.
>
> sure, but it does choose what keys should sign the zone. I'd like that decision to made by the enforcer, not giving the signer much options.
>
> j
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMpIwlAAoJEA8yVCPsQCW58oEH/1X7K279vcNMf0A5Sc4gYfcX
hatlmiLePmgZLju6GcP5dEy///54Dcm0kbvaWEHu6Up+HpYU9JwDYibrSulfP/mh
17cWRJo3CqkqlLwU35EGAj3umyqihoFMI1aV+X5nTeIBO0Nw78//NGKw+U8KeLcG
St6xYcfa/tlLAe+ZqE6sB0sarummu+YsW6Bt6BWKVmCAaJe9vEW1I85Y5ZM3wmfn
L8j8y7moquzNL7iQkOcAnWNGFb5xQpYsHTSig4F7S1JF1UJjRYtvsPL4h3/0Fwav
0NZpnqnVgrzVxoceQdXqL6U3BzcmBDbev2S0cGsjAENhYn3QnXmmMfkDlHmOEQI=
=TXWS
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list