-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Florian,
On 10/05/2009 08:52 AM, Florian Weimer wrote: > I don't understand this part: > | validator configuration. The validator then fetches old DNSKEY > | RRsets and checks they form a chain to the latest key. > > Doesn't this defeat the purpose of key rollovers? No it doesn't. Key rollovers remain effective completely for computers that are online at the time of rollover. This is as effective as key rollover is today. The draft proposes a way for computers that were offline during the key rollover to get back on track. They way it is done, makes them all get back on track using the most recent keys they had. So that the 'oldest key' is the least old as possible. Thus the key rollover is aimed for, but with the computers being offline, the best you can do, is have them 'roll over' in larger steps. This being the step from 'their most recent keys' to the 'current key when they go online'. Of course, in reality, this turns into a distribution of computers, each with older and older keys and have been offline for longer and longer. There were concerns expressed about limiting that to some maximum, and this has been addressed in a more recent version of the draft. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkrJmqcACgkQkDLqNwOhpPiLTQCeJK7uybil6TjLdv+hyNY4jc+R DWsAoLcZV41JlPpXSGzLxO8K3CFoBqa6 =0pmj -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
