On Feb 17 2009, stephen.mor...@nominet.org.uk wrote:
John Dickinson and Johan Ihren and I have just submitted
http://www.ietf.org/internet-drafts/draft-morris-dnsop-dnssec-key-timing-00.txt
The draft gives a rigorous description of timing considerations in DNSSEC
key rollovers.
The document seems to assume that switching from one ZSK to another for
actually signing all RRsets in a zone is an atomic operation, e.g.
| Event 4: at some later time, the key is used to sign the zone. This
| point is the activation time (Ta) and after this, the key is said to
| be in the active state.
Ought not some consideration be given to "lazy re-signing", where
RRsets are re-signed with the now-preferred ZSK only as their previous
RRSIGs approach expiry?
More generally, perhaps signature rollover and key rollover ought to
be covered in an integrated fashion.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
