To:
Miek Gieben <miekg@nlnetlabs.nl>
Cc:
dnsop <dnsop@cafax.se>
From:
Brian Wellington <Brian.Wellington@nominum.com>
Date:
Mon, 23 Oct 2000 08:41:38 -0700 (PDT)
In-Reply-To:
<20001023140642.A19769@nlnetlabs.nl>
Sender:
owner-dnsop@cafax.se
Subject:
Re: keysets at the registry
On Mon, 23 Oct 2000, Miek Gieben wrote: > Were having the following problem. > > I'm playing a registry, and for now i have 1 child: nlnetlabs.nl.nl. > > The child want to be secure, so it sends a keyset to me. > That keyset contains the public key and a sig with > an expiration and inception time. > > Now it is time for the registry to sign the key of nlnetlabs.nl.nl. > So i give the following command: > /nlnl/sbin/dnssec-signkey nlnetlabs.nl.nl.keyset ../Knl.nl.+001+26773.private > > This results in nlnetlabs.nl.nl.signedkey with the _same_ > expiration and inception time as the original keyset. This is an omission in dnssec-signkey. It will be in a later version, probably bind 9.1. The plan was to have the child specify a validity period that it desired, but this could be overridden by the parent. > When this sigs expires and the registry wants to resign the keyset, it > must get a new keyset from the child. > > Is this really necessary? Why not only send a key to the registry? Several reasons. As Ed mentioned, the TTL needs to be included. Including a hint as to the validity period is also useful. Also, dnssec-signkey can attempt to verify the SIG records, which shows that the creator of the key set possessed the private keys associated with the public keys in the file. Brian