-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/22/2011 07:51 PM, Fredrik Ljunggren wrote: > > On 2011-06-20, at 01:00, Matthijs Mekking wrote: > >> I think you mean sections 4.6.4, 4.6.5 and 4.6.6. Those sections >> (especially the first two) cover ZSK specific rollover and KSK >> specific roll-over schemes and are relevant in case a zone is >> subject to a KSK/ZSK Split Signing Scheme. >> >> However, if a zone is subject to a Single Type Signing Scheme, >> different roll-over schemes are relevant. >> >> The main component of 4.6 already says: >> >> This component covers all aspects of zone signing, including the >> cryptographic specification surrounding the Key Signing Key and >> Zone Signing Key, *signing scheme* and methodology for key >> roll-over and the actual zone signing. >> >> I think 4.6.4 and 4.6.5 cover methodology for key roll-over. I miss >> a section that says "Signing Scheme: This subcomponent describes >> which signing scheme is in use." > > I think we may have different conceptions of what a "signing scheme" > is (which may call for clarification of that in the definitions > section). > > For me, signing scheme is the signature life-time and re-signing > frequency, paired with the key roll-over schedule. What exactly is it > you are missing? What would a drafter put in the "signing scheme" > section which does not fit into any of the other subsections?
Basically it comes to this: It is not clear to me in what component I can describe whether: - - I am going to use a ZSK/KSK split signing scheme (where I have two keys for signing, one to sign the DNSKEY RRset and another to sign the rest), or - - I am going to use a Single Type Signing Scheme (where I have one key that signs all). The two different methods I call signing scheme. If I am going to use ZSK/KSK Split, there is a component that covers ZSK(-only) roll-over and there is a component that covers KSK(-only) roll-over. If I am going to use a Single Type Signing Scheme, where do I describe the roll-over schedule for that key. Best regards, Matthijs > -- Fredrik > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOAwWuAAoJEA8yVCPsQCW5HhkIALfUd8igclOaZ4gOU6kFp4sC iTyOrRauqvkt5deCrZc2XiSu3Nl13Dn1DrLA2XrkXoR0A5ABXm9uWjmATaQZOjbn p3zgc0o0oWGhfExR3g4fsaGdBmW4a8thfr5G/zVKp1SQ9fXhJvSDiAbnR37i/1d1 4cSZl/E+z6TKaVgMpnURUeGVoeNcfdu0Eltupc+TKeGxpcrdBbhwyFzSx4W9lFOe fowDGnsi0bqsvqfLb2HqrHxj7j7iKxGT3p4HwwTNYoxULZVK1phfbGiwI2PTlxD3 s0yO27wrl/d+a8VQLSczKfoJkpQo+uFBraSxokuteDMa4l8xlX8eFnGoCNH3nGM= =yKU3 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
