Am 11.02.2012 um 11:33 schrieb Axel Rau:
>
> Am 10.02.2012 um 01:57 schrieb Mark Andrews:
>
>> You don't submitt the initial DS until the KSK is active and any old
>> state about the DNSKEY as clear caches. I recommend "activate" +
>> "publish" at the same time.
> I see. draft-ietf-dnsop-dnssec-key-timing-02 uses the term 'used for signing'
> as synonym for 'active' on page 22.
> I will update the diagram.
Here is the next revision with comments from Mark and Jeff incorporated (same
URL):
https://www.chaos1.de/svn-public/repos/network-tools/DNSsec/trunk/dnssec_key_states.pdf
I'm still unsure about submitting the follow-up DS while its KSK not yet active.
Please review carefully and comment. Simplifications are also welcome.
Axel
PS: If someone cares, here is the cert of our root ca:
https://www.chaos1.de/cacert.pem
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
