DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Jakob Schlyter <jakob@rfc.se>
Cc: IETF DNSOP WG <dnsop@cafax.se>
From: Miek Gieben <miekg@atoom.net>
Date: Tue, 28 Oct 2003 10:50:05 +0100
Content-disposition: inline
In-reply-to: <Pine.OSX.4.56.0310231711490.456@criollo.schlyter.se>
Mail-followup-to: Jakob Schlyter <jakob@rfc.se>, IETF DNSOP WG <dnsop@cafax.se>
Sender: owner-dnsop@cafax.se
User-Agent: Vim/Mutt/Linux
Subject: Re: comments to draft-ietf-dnsop-dnssec-operational-practices-00

[On 23 Oct, @17:14, Jakob wrote in "comments to draft-ietf-dnsop-d ..."]
> I have some comments regarding key rollover in this document.
> 
> 3.3.1 Zone-signing key rollovers
> 
> wouldn't it be possible to just add the new key, resign with the new key
> only and remove the old key after the old signatures have expired?  old
> signatures can still be checked since the old key is still in the zone and
> signed by the ksk.

and to other way around? Caches that have only the old keyset and want to
verify sig from the zone? Then you will need to (RR)SIG10 of the data.
(or is that a situation that is not able to occur in the DNS? Unlikely)

>         normal              roll            after
> 
>         SOA0                SOA1            SOA2
>         SIG10(SOA0)         SIG11(SOA1)     SIG11(SOA2)
> 
>         KEY1                KEY1            KEY1
>         KEY10               KEY10           KEY11
>                             KEY11
>         SIG1 (KEY)          SIG1 (KEY)      SIG1 (KEY)
>         SIG10(KEY)          SIG11(KEY)      SIG11(KEY)
> 
> 
> 3.3.2 Key-signing key rollovers
> 
> our (.se) current idea is to always be in the rollover phase - one key
> about to expire within 1 year and one key about to expire within 2 years.
> when the first key expires, we generate a new one so we always have two
> "active" keys.
> 
>         init         roll         roll         roll
> 
>         KEY1         KEY1         KEY2         KEY3
>                      KEY2         KEY3         KEY4
>         SIG1 (KEY)   SIG1 (KEY)   SIG2(KEY)    SIG3(KEY)
>                      SIG2 (KEY)   SIG3(KEY)    SIG4(KEY)
> 

somewhere in the draft there is a hint about doing this, but I cannot
seem to find it quickly. But it is worth adding more verbosely in 3.3.2

grtz
      Miek
--
"So long, and thanks for all the fish." 
-- Hitchhikers Guide to the Galaxy
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.

References:
- comments to draft-ietf-dnsop-dnssec-operational-practices-00
  - From: Jakob Schlyter <jakob@rfc.se>

Prev by Date: I-D ACTION:draft-ietf-dnsop-ipv6-transport-guidelines-01.txt
Next by Date: tcr bind9 version
Prev by thread: comments to draft-ietf-dnsop-dnssec-operational-practices-00
Next by thread: I-D ACTION:draft-guette-dnsop-key-rollover-requirements-00.txt
Index(es):
- Date
- Thread

Home | Date list | Subject list