To:
IETF DNSOP WG <dnsop@cafax.se>
From:
Jakob Schlyter <jakob@rfc.se>
Date:
Thu, 23 Oct 2003 17:14:57 +0200 (CEST)
Sender:
owner-dnsop@cafax.se
Subject:
comments to draft-ietf-dnsop-dnssec-operational-practices-00
I have some comments regarding key rollover in this document. 3.3.1 Zone-signing key rollovers wouldn't it be possible to just add the new key, resign with the new key only and remove the old key after the old signatures have expired? old signatures can still be checked since the old key is still in the zone and signed by the ksk. normal roll after SOA0 SOA1 SOA2 SIG10(SOA0) SIG11(SOA1) SIG11(SOA2) KEY1 KEY1 KEY1 KEY10 KEY10 KEY11 KEY11 SIG1 (KEY) SIG1 (KEY) SIG1 (KEY) SIG10(KEY) SIG11(KEY) SIG11(KEY) 3.3.2 Key-signing key rollovers our (.se) current idea is to always be in the rollover phase - one key about to expire within 1 year and one key about to expire within 2 years. when the first key expires, we generate a new one so we always have two "active" keys. init roll roll roll KEY1 KEY1 KEY2 KEY3 KEY2 KEY3 KEY4 SIG1 (KEY) SIG1 (KEY) SIG2(KEY) SIG3(KEY) SIG2 (KEY) SIG3(KEY) SIG4(KEY) jakob #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.