To:
Daniel Massey <masseyd@isi.edu>
cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Mats Dufberg <dufberg@nic-se.se>
Date:
Fri, 22 Mar 2002 19:47:46 +0100 (CET)
In-Reply-To:
<3C9B64C9.680ADF4B@isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys and DS
On Mar 22, 2002, 12:07 (-0500) Daniel Massey <masseyd@isi.edu> wrote:
> Recommended child roll-over plan:
> - assume parent has "DS A", SIG by parent.
> child has "KEY A, SIG by A"
> **** child adds "KEY B" to its set so it now has
> {KEY A, KEY B}, SIG A, SIG B.
> - child sends DS B to parent using secure mechanism
> - within week, parent replaces "DS A" with "DS B".
> - child learns of parent action with dig
> - child waits until caches should have dropped DS A
> (3 times TTL) and then removes KEY A to get only
> KEY B, SIG B
Yes, the child should never remove the KEY (well, almost never) before the
parent has removed the equivalent DS.
It is like the requierment that all NS records at parent must exist at
child.
Mats
----------------------------------------------------------------------
Mats Dufberg <dufberg@nic-se.se>
----------------------------------------------------------------------