[Opendnssec-user] Why do we need standby keys?

Antti Ristimäki antti.ristimaki at csc.fi
Fri Jul 9 10:03:44 CEST 2010


On Fri, 2010-07-09 at 10:07 +0300, Ondřej Surý wrote:
> > Why do you need to add the DNSKEY of the previous KSK to the unsigned
> > zone? If someone has the old DNSKEY RRSIG cached, he/she also has the
> > old DNSKEYs cached and is able to validate the DNSKEY RRset.
> 
> Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if
> they were same they will almost never be cached at the same time.

I thought that an RRset and the corresponding RRSIGs should be cached as
an atomic entry. And according to RFC 4034 "The TTL value of an RRSIG RR
MUST match the TTL value of the RRset it covers."

Antti




More information about the Opendnssec-user mailing list