To:
Olaf Kolkman <OKolkman@ripe.net>
Cc:
dnssec@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 4 Jul 2001 08:27:48 -0400
In-Reply-To:
<200107040818.KAA24280@x50.ripe.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: ttl problems in DNSSEC
At 4:18 AM -0400 7/4/01, Olaf Kolkman wrote: > >I think that the problem is not that K++1 is removed but that the data >is not signed with S++1. > >IMO this is the solution: After the rollover NS MUST sigh the data in >it's zone with both keys for a period that is at least the TTL of the >old key (K++1) > I think this would be heading in the wrong direction. When retiring a key you want to remove the signatures, not perpetuate them. Perhaps this might be the right step though, but for a different reason - a resolver can't force a recursing name server to get newer data for what it has in its cache. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.