To:
Edward Lewis <lewis@tislabs.com>
Cc:
Dan Massey <masseyd@isi.edu>, dnssec@cafax.se
From:
Miek Gieben <miekg@nlnetlabs.nl>
Date:
Thu, 19 Apr 2001 16:05:03 +0200
Delivery-Date:
Thu Apr 19 20:31:06 2001
In-Reply-To:
<v03130303b6fbaaf22db2@[199.171.39.24]>; from lewis@tislabs.com on Thu, Apr 12, 2001 at 02:59:50PM -0400
Sender:
owner-dnssec@cafax.se
Subject:
Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
On Thu, Apr 12, 2001 at 02:59:50PM -0400, Edward Lewis wrote: > "One of the smoldering debates about key rollover is the need to retain the > old key." hi, With a search on google: "retaining old key dnssec" i found one mention, in the key rollover draft from Mark and Donald: 2 . Key Rollover Scenario Although DNSSEC provides for the storage of other keys in the DNS for other purposes, DNSSEC zone keys are included solely for the purpose of being retrieved to authenticate DNSSEC signatures. Thus, when a zone key is being rolled over, the old public key should be left in the zone, along with the addition of the new public key, for as long as it will reasonably be needed to authenticate old signatures that have been cached or are held by applications. Similarly, old parent SIGs should be retained for a short time after a parent KEY(s) roll over and new parent SIGs have been installed. It states that old keys should be kept for as long as needed, i disagree. If a cache has old signatures and no key it should not try to verify to old sigs with an old key. Instead it should get the new key and the new sigs. It is beter to drop the old key as soon as possible, directly after the parent has signed the new key. If you think about key compromises this even makes more sense. grtz Miek