[Opendnssec-develop] The ds-* commands in Enforcer NG
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Sep 12 11:29:57 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2011 10:52 AM, Rickard Bellgrim wrote:
> Hi
>
> I noticed that two new commands has been added to Enforcer NG, "key
> ds-retract" and "key ds-gone". Are those needed? For the purpose of
> DNSSEC, it does not matter if you have old DS RRs in the parent zone.
Unless it is an DS with a different algorithm (at least the debate is
still ongoing).
Best regards,
Matthijs
> As long as you have one valid DS. So we do not need to track the old
> DS RRs. It is implicit that the user remove the old DS RR, because its
> DNSKEY is not included in the "key export" or in the DSSubmitCommand.
>
> // Rickard
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJObe01AAoJEA8yVCPsQCW5WvAIAMOxufdLfm3onSXHALNTOknr
9j+ojPsjUdzUXPlAwggI1LVbq86oEPTRYreNyRtwnRfHgOUYMyomj4kkD/ZssEup
gsfccxVQlse1FypVzn1BLQZ2jQKn1yad3+bYo2Sb04jjxBzvfLHFMYXx1xwUNBwH
8rdIZoTDqhz7hO7j2EAiHnJnLtO7gITf3evrFrdyRthaN5pTHM59Ri4zBfPtky1z
+b6JUufiFYtXTSe2UqLo80453/9qOnrrJKPynurAgv/aP6Nn50wWi+jdJDyxd35Q
sPdfREJeinEgAaB5C/05bBTna+JfuqJi5tSx2FaVo9a6mAF8Fl++VwvN2hqr2M4=
=UwHD
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list