[Opendnssec-develop] review: Signature recycle etc.

[Matthijs Mekking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What I am trying to enforce with this rule is:

If the enforcer decides we should use n KSKs, the signer should make
sure that n signatures exist in the zone that cover the DNSKEY RRset.

If the enforcer decides we should use n ZSKs, the signer should make
sure that for every non-DNSKEY RRset n signatures exist in the zone.

Best regards,

Matthijs

On 09/30/2010 11:02 AM, Jakob Schlyter wrote:
> On 30 sep 2010, at 11.00, Sion Lloyd wrote:
> 
>>>> New rule:
>>>> If there are not enough valid signatures, additional signatures
>>>> must be created. The DNSKEY RRset MUST have equally number of
>>>> signatures as there are active KSKs. Every other RRset MUST have
>>>> equally number of signatures as there are active ZSKs.
>>>
>>> this sounds more like a rule for an enforcer, than a rule for a signer,
>>> no?
>>
>> The enforcer decides which keys should be used/published. It never sees the signed zones and knows nothing about signatures.
> 
> sure, but it does choose what keys should sign the zone. I'd like that decision to made by the enforcer, not giving the signer much options.
> 
> 	j
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMpIwlAAoJEA8yVCPsQCW58oEH/1X7K279vcNMf0A5Sc4gYfcX
hatlmiLePmgZLju6GcP5dEy///54Dcm0kbvaWEHu6Up+HpYU9JwDYibrSulfP/mh
17cWRJo3CqkqlLwU35EGAj3umyqihoFMI1aV+X5nTeIBO0Nw78//NGKw+U8KeLcG
St6xYcfa/tlLAe+ZqE6sB0sarummu+YsW6Bt6BWKVmCAaJe9vEW1I85Y5ZM3wmfn
L8j8y7moquzNL7iQkOcAnWNGFb5xQpYsHTSig4F7S1JF1UJjRYtvsPL4h3/0Fwav
0NZpnqnVgrzVxoceQdXqL6U3BzcmBDbev2S0cGsjAENhYn3QnXmmMfkDlHmOEQI=
=TXWS
-----END PGP SIGNATURE-----