To:
IETF DNSOP WG <dnsop@cafax.se>
From:
Jakob Schlyter <jakob@rfc.se>
Date:
Thu, 23 Oct 2003 17:14:57 +0200 (CEST)
Sender:
owner-dnsop@cafax.se
Subject:
comments to draft-ietf-dnsop-dnssec-operational-practices-00
I have some comments regarding key rollover in this document.
3.3.1 Zone-signing key rollovers
wouldn't it be possible to just add the new key, resign with the new key
only and remove the old key after the old signatures have expired? old
signatures can still be checked since the old key is still in the zone and
signed by the ksk.
normal roll after
SOA0 SOA1 SOA2
SIG10(SOA0) SIG11(SOA1) SIG11(SOA2)
KEY1 KEY1 KEY1
KEY10 KEY10 KEY11
KEY11
SIG1 (KEY) SIG1 (KEY) SIG1 (KEY)
SIG10(KEY) SIG11(KEY) SIG11(KEY)
3.3.2 Key-signing key rollovers
our (.se) current idea is to always be in the rollover phase - one key
about to expire within 1 year and one key about to expire within 2 years.
when the first key expires, we generate a new one so we always have two
"active" keys.
init roll roll roll
KEY1 KEY1 KEY2 KEY3
KEY2 KEY3 KEY4
SIG1 (KEY) SIG1 (KEY) SIG2(KEY) SIG3(KEY)
SIG2 (KEY) SIG3(KEY) SIG4(KEY)
jakob
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.