To:
Matt Larson <mlarson@verisign.com>
Cc:
dnssec@cafax.se
From:
Roy Arends <roy@dnss.ec>
Date:
Sat, 19 Jun 2004 22:53:01 +0200 (CEST)
In-Reply-To:
<20040619201731.GA3532@chinook.corppc.vrsn.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: continued: rrsig(qtype)
On Sat, 19 Jun 2004, Matt Larson wrote: > On Sat, 19 Jun 2004, Roy Arends wrote: > > Note that it is not possible for the resolver/validator to notice the > > difference between a dynamically signed and a pre-signed RRSIG (which is > > good). > > But then a compromised dynamic signing key can be used to sign > positive answers, too. Yes, true. If an online key is compromised, it can be used to sign positive answers as well. (the only solution I see in that event is "just" take it out of the apex key-set, or at least the set signed by a key-signing key). > Is there any value to a special type of key that is only valid for > dynamically signed negative answers? It is not that the key is only 'valid' for dynamically signed answers. It is just a key that is specifically used for signing negative responses. The value is that a key for a negative response can be smaller (for some definition of smaller) then a key for a positive response, so to increase (well, for some definition of increase :) ) the speed of dynamic signing. Negative responses are short lived in general. Roy