On 30 sep 2010, at 18.51, Stephan Lagerholm wrote:
> It is not clear if the validUntil time is referring to the time when the
> key is expected to be rolled into RFC 5011 revoked state or when it is
> expected to be removed from the zone.
Once the key is revoked, it is no longer valid and cannot be used for
validation. Given this, I'd say validUntil specifies how long the key is valid
for validation - once the revoke bit is flipped, it is no longer valid.
> What will happen with the keytag field in the published data for an
> historical key that has been revoked? Will it still have the original
> keyid or keyid+128?
For the anchor XML I'd expect the keytag field to stay unchanged.
> Does it make sense to add an additional timer in the published data so
> that the revoked state can be described better?
I don't think this - the anchor XML works quite well without RFC5011, if you a)
parse the dates and b) fetch the anchor XML often enough.
jakob
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
