To:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
29 Jul 2001 12:14:24 -0000
Automatic-Legal-Notices:
Copyright 2001, D. J. Bernstein. My transmission of this message to you does not constitute a copyright waiver or any other limitation of my rights, even if you have told me otherwise.
Content-Disposition:
inline
Subject:
Re: NGtrans - DNSext joint meeting, call for participation
Mark.Andrews@nominum.com writes: > Pre change: > example.com SIG KEY expire=200107292257 (1 day) > host.example.com SIG A expire=200108272257 (30 days) > Post change: > example.com SIG KEY expire=200107072258 (1 day) > host.example.com SIG A expire=200108272258 (30 days) You are, as I said, signing the host record again. You have to sign all your other records too, never mind the costs of generating and distributing the new key. If you change at least one of your records every day---certainly a reasonable assumption for the big organizations we're talking about--- then you are signing all your records every day. The key change isn't accomplishing anything. The bottom line remains the same. Even without renumbering, you are signing every record every day. If that isn't a problem, then occasional renumbering certainly isn't a problem. If you have one day warning, you can renumber for free. ---Dan