To:
Jakob Schlyter <jakob@rfc.se>
Cc:
IETF DNSOP WG <dnsop@cafax.se>
From:
Miek Gieben <miekg@atoom.net>
Date:
Tue, 28 Oct 2003 10:50:05 +0100
Content-disposition:
inline
In-reply-to:
<Pine.OSX.4.56.0310231711490.456@criollo.schlyter.se>
Mail-followup-to:
Jakob Schlyter <jakob@rfc.se>, IETF DNSOP WG <dnsop@cafax.se>
Sender:
owner-dnsop@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: comments to draft-ietf-dnsop-dnssec-operational-practices-00
[On 23 Oct, @17:14, Jakob wrote in "comments to draft-ietf-dnsop-d ..."] > I have some comments regarding key rollover in this document. > > 3.3.1 Zone-signing key rollovers > > wouldn't it be possible to just add the new key, resign with the new key > only and remove the old key after the old signatures have expired? old > signatures can still be checked since the old key is still in the zone and > signed by the ksk. and to other way around? Caches that have only the old keyset and want to verify sig from the zone? Then you will need to (RR)SIG10 of the data. (or is that a situation that is not able to occur in the DNS? Unlikely) > normal roll after > > SOA0 SOA1 SOA2 > SIG10(SOA0) SIG11(SOA1) SIG11(SOA2) > > KEY1 KEY1 KEY1 > KEY10 KEY10 KEY11 > KEY11 > SIG1 (KEY) SIG1 (KEY) SIG1 (KEY) > SIG10(KEY) SIG11(KEY) SIG11(KEY) > > > 3.3.2 Key-signing key rollovers > > our (.se) current idea is to always be in the rollover phase - one key > about to expire within 1 year and one key about to expire within 2 years. > when the first key expires, we generate a new one so we always have two > "active" keys. > > init roll roll roll > > KEY1 KEY1 KEY2 KEY3 > KEY2 KEY3 KEY4 > SIG1 (KEY) SIG1 (KEY) SIG2(KEY) SIG3(KEY) > SIG2 (KEY) SIG3(KEY) SIG4(KEY) > somewhere in the draft there is a hint about doing this, but I cannot seem to find it quickly. But it is worth adding more verbosely in 3.3.2 grtz Miek -- "So long, and thanks for all the fish." -- Hitchhikers Guide to the Galaxy #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.