[Opendnssec-user] Why do we need standby keys?

Ondřej Surý ondrej at sury.org
Fri Jul 9 08:30:00 UTC 2010

> On Fri, 2010-07-09 at 10:07 +0300, Ondřej Surý wrote:
>> > Why do you need to add the DNSKEY of the previous KSK to the unsigned
>> > zone? If someone has the old DNSKEY RRSIG cached, he/she also has the
>> > old DNSKEYs cached and is able to validate the DNSKEY RRset.
>> Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if
>> they were same they will almost never be cached at the same time.
> I thought that an RRset and the corresponding RRSIGs should be cached as
> an atomic entry. And according to RFC 4034 "The TTL value of an RRSIG RR
> MUST match the TTL value of the RRset it covers."

Sorry, I was writing faster than thinking :). You're right. What I
wrote applies only to ZSK.

Ondřej Surý <ondrej at sury.org>

More information about the Opendnssec-user mailing list