To:
Edward Lewis <lewis@tislabs.com>, Olaf Kolkman <olaf@ripe.net>, dnssec@cafax.se
From:
Daniel Massey <masseyd@isi.edu>
Date:
Fri, 07 Dec 2001 11:24:35 -0500
Sender:
owner-dnssec@cafax.se
Subject:
Re: Where are we (metaphorically speaking)?
Hi,
Also forgot to mention we are working on toolset that generates
the right SIG lifetimes and simplifies things during KEY rollovers
and so forth.
So for a statement like:
1) At least one week prior to the DS 1 expiration date,
generate KEY 2 and enter KEY 2 into your zone.
- your keyset now contains KEY1 and KEY2
- the keyset should be signed by BOTH KEY1 and KEY2.
- the lifetime on BOTH SIG records should match the
intended KEY 1 expiration date.
- you may use either KEY1 or KEY2 (or both) to sign
the rest of the zone
The software knows the lifetime for KEY 1 and KEY 2 and
constructs the right SIG expiration dates and even spits
out the DS record if you just say:
dnssec-addkey -key KEY2 -pass key2passphrase -isds -zone foo
Does the above and spits out the DS record for sending to the
parent.
Dan
PS apologies the draft is little rougher than expected in terms of
dumb typos that seem to only be appear after hitting send :)
> DS is substantial change for previous operations.
^a ^from