On 2010-09-30, at 16:51, Stephan Lagerholm wrote: > It is not clear if the validUntil time is referring to the time when the > key is expected to be rolled into RFC 5011 revoked state or when it is > expected to be removed from the zone.
I see what you mean. > What will happen with the keytag field in the published data for an > historical key that has been revoked? Will it still have the original > keyid or keyid+128? Good question! > Does it make sense to add an additional timer in the published data so > that the revoked state can be described better? > > If RFC5011 rolls are being used, I think the RFC must be referenced. I think our intention was that the validUntil attribute on the outgoing key would be set as soon as the key was decommissioned, or revoked, or was otherwise not considered a sensible key to use. Since such circumstances would always correspond to the presence of a more current key, this seemed sufficient. If a client retrieves a trust anchor package and an outgoing anchor is technically still usable (in an RFC5011 roll) but the incoming anchor is also specified, is there any circumstance where we might expect that client to prefer the outgoing anchor? Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
