To:
dnsop <dnsop@cafax.se>
From:
Miek Gieben <miekg@nlnetlabs.nl>
Date:
Mon, 23 Oct 2000 14:06:42 +0200
Content-Disposition:
inline
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
keysets at the registry
hi, Were having the following problem. I'm playing a registry, and for now i have 1 child: nlnetlabs.nl.nl. The child want to be secure, so it sends a keyset to me. That keyset contains the public key and a sig with an expiration and inception time. Now it is time for the registry to sign the key of nlnetlabs.nl.nl. So i give the following command: /nlnl/sbin/dnssec-signkey nlnetlabs.nl.nl.keyset ../Knl.nl.+001+26773.private This results in nlnetlabs.nl.nl.signedkey with the _same_ expiration and inception time as the original keyset. When this sigs expires and the registry wants to resign the keyset, it must get a new keyset from the child. Is this really necessary? Why not only send a key to the registry? grtz Miek NLnet Labs