[Opendnssec-develop] review: Signature recycle etc.
matthijs at NLnetLabs.nl
Thu Sep 30 13:09:58 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
What I am trying to enforce with this rule is:
If the enforcer decides we should use n KSKs, the signer should make
sure that n signatures exist in the zone that cover the DNSKEY RRset.
If the enforcer decides we should use n ZSKs, the signer should make
sure that for every non-DNSKEY RRset n signatures exist in the zone.
On 09/30/2010 11:02 AM, Jakob Schlyter wrote:
> On 30 sep 2010, at 11.00, Sion Lloyd wrote:
>>>> New rule:
>>>> If there are not enough valid signatures, additional signatures
>>>> must be created. The DNSKEY RRset MUST have equally number of
>>>> signatures as there are active KSKs. Every other RRset MUST have
>>>> equally number of signatures as there are active ZSKs.
>>> this sounds more like a rule for an enforcer, than a rule for a signer,
>> The enforcer decides which keys should be used/published. It never sees the signed zones and knows nothing about signatures.
> sure, but it does choose what keys should sign the zone. I'd like that decision to made by the enforcer, not giving the signer much options.
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop