-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi George,
No comment on section 4.1.4, but wanted to note a mistake in your post. On 05/09/2011 08:22 AM, George Barwood wrote: > I have a comment about section 4.1.4. Rollover for a Single Type Signing Key > rollover. > > The following simple scheme doesn't seem to be covered. > > (1) Introduce new key DNS_K_2 > > (2) Add DS record for DNS_K_2 to parent zone. > > (3) Wait for DNS_K_2 and it's DS record to propagate. > > (4) Stop signing with DNS_K_2, start signing with DNS_K_1 Start signing with DNS_K_2 and stop signing with DNS_K_1 > (5) Wait for DNS_K_2 signatures to propagate. > > (6) Remove DNS_K_1 from child it's DS record from parent. > > This has the advantage of minimising the size of the signed DNSKEY response, > to 2 x DNSKEY and 1 x RRSIG, and doesn't involve double signatures. > > It is double-DS, but given that DS records are relatively small, this may be > a lesser consideration, > whereas the size of the DNSKEY response is most likely to be affected by > fragmentation/TCP fallback > considerations. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNx44kAAoJEJ9vHC1+BF+NTlUP/iI/hu1QHXgLfry2LlkqfgmZ DKhisA1sesM/z+WdO61wEGyGktYHnQEJDPx4kBejSjtLzxP1RCrERl1Qa7t9+LZd xhZ18Hhyi4y703BrC056zjBiD59g7YYvKURvNNSpArP0vbjs07B8lEwixo/NPX32 Gj5TPeuAUTSXpP2K8NwgTOO5+/djrFhylVhZEVv+K7/sE/bW32iujPTHulsUw8l7 8E+jZ5btN8qErNc5DWLac8v/FCKrNZ47i9MuCG93maO6RJMGlcGnyepy98EiqUMz kGr1SlCws6fbXBSCmy2xE4iwzDOFEKNVvg6C/sz1nyHHfuwoEjK5SQDQBe4lCmTm ODGBxy0FJonoI+2hEo4aRC9qNI+TOatZa4fIpvGrSbl9NOCBtTleO8EExvpmsHdS p/zvUVVfkE16QuRxuoPtD8d2SWQlOwlJkoajm2U36moHUYY3OWU1S0xhEj01rjCd C+SCA2QCcAG2K4yb3ucgCaAGHg0ytSxKWZVg+WSdxuhJtxFAInBQCEUw530ov6vw 6k2WRokopLgIso9TDrFYeKJku5fMUmBAAtvHYEInYjKNSA88UNi6uvLA1UXlaJGv o5dDcdcp03iByhEtsRwoPjyMFKLr2eiXSkvTtsKtTcgzVR6/7wSVtfy1ElnTERez zAq/dFeuI+RF+8BsUor+ =Rqsy -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
