To:
Edward Lewis <lewis@tislabs.com>
Cc:
Dan Massey <masseyd@isi.edu>, dnssec@cafax.se
From:
Miek Gieben <miekg@nlnetlabs.nl>
Date:
Wed, 18 Apr 2001 16:07:14 +0200
Delivery-Date:
Thu Apr 19 20:30:45 2001
In-Reply-To:
<v03130303b6fbaaf22db2@[199.171.39.24]>; from lewis@tislabs.com on Thu, Apr 12, 2001 at 02:59:50PM -0400
Sender:
owner-dnssec@cafax.se
Subject:
Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
On Thu, Apr 12, 2001 at 02:59:50PM -0400, Edward Lewis wrote: > At 6:31 AM -0400 4/10/01, Miek Gieben wrote: > >you will need keyrollovers whenever a key is compromised, key over-usage, new > >sys admins, etc, etc. > > Sorry about being unclear. When I wrote that I meant to express this: > > "One of the smoldering debates about key rollover is the need to retain the > old key." > > The need to change keys is known, I just dropped a phrase or two when I was > typing. (Too many fine lunches and dinners.) The debate is whether last > month's key should be used for anything other than authenticating the new > key to the parent. okay i see what you mean. i think a key that is considered old should not be used in the DNS. A child should use the old key to sign a signing request for a new key directed to the parent. When the new key is signed by the parent the use of the old key must stop as soon as it's TTL is 0. grtz Miek