To:
ietf-provreg@cafax.se
From:
Andrew Sullivan <ajs@shinkuro.com>
Date:
Tue, 26 Jan 2010 15:37:36 -0500
Content-Disposition:
inline
In-Reply-To:
<a06240802c784fdaaded5@[10.31.200.236]>
Mail-Followup-To:
Andrew Sullivan <ajs@shinkuro.com>, ietf-provreg@cafax.se
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mutt/1.5.18 (2008-05-17)
Subject:
Re: [ietf-provreg] Revision of 4310
On Tue, Jan 26, 2010 at 03:23:15PM -0500, Edward Lewis wrote: >> I don't think I understand this one. Do you mean that there's no >> RRSIG for that DNSKEY record? > > To clarify - Yes. In this instance, "in-active" would cover having a DS > appear, the DNSKEY appear, but no RRSIG created by the private key. That > would make the DS "in-active" in terms of building a chain of trust. I like this idea better than just not putting the DNSKEY in the DNSKEY RRset. Is anyone doing their deployment this way? On the other hand, I suppose it doesn't really matter whether one does it this way or by just not including the DNSKEY on the child side. In either case, you have to use the old key until the TTL expires (because without an RRSIG, the new key won't be useful either). So why add the key to the DNSKEY RRset at all? A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se