On 2011-06-23, at 02:21, Matthijs Mekking wrote: > The two different methods I call signing scheme.
Ok! I follow you. > If I am going to use a Single Type Signing Scheme, where do I describe > the roll-over schedule for that key. A KSK is a DNSKEY with the SEP bit set. And for validation to work with a single key, that key has to have the SEP bit set. So I would suggest roll-overs in a single-key zone to be described under KSK roll-over. And you do have a point that this should be spelled out in the DPS framework document. Although, I'm a bit reluctant to having a whole new section for this, but would rather see it included in the existing sections. What do you think about adding some descriptive text to the section "Key lengths and algorithms", to include split/single key signing there? And using the existing subsections as relevant for roll-overs? -- Fredrik _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
