On Thu, 28 Jul 2011 19:29:31 +0200 (CEST), Matthijs Mekking <matth...@nlnetlabs.nl> said:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > On Wed, 27 Jul 2011, Alexander Gall wrote: >> Matthjis, >> >> On Wed, 27 Jul 2011 18:03:30 +0200 (CEST), Matthijs Mekking >> <matth...@nlnetlabs.nl> said: >> >>> On Wed, 27 Jul 2011, Alexander Gall wrote: >> >> >>> The corner case tries to make clear that a DNSKEY RRset can be >>> treated as part of the chain of trust, but also can be treated as zone >>> content. In the latter case you want to make sure that the signatures >>> of the new algorithm are propagated before introducing the new DNSKEY. >> >> I sort of understand the intention. But how *exactly* would it work? >> Note that the "pre-published" signature in zone SOA_1 will differ from >> that in zone SOA_2, because the DNSKEY RRset is not the same (this is >> different from pre-published signatures by the ZSK, because the RRsets >> themselves do not change). > It's about pre-publishing the algorithm. But I now see what you mean and > I think you are right. The corner case does not actually need these > special considerations. The algorithm rollover described as it is now is > not wrong, it just adds a redundant signature in the 'new RRSIGs' step. Ok. In other words, there is no point in publishing signatures over the DNSKEY RRset by a key that is not part of that RRset itself, right? Seems to me that RRSIG_K_1(DNSKEY) should be removed from the "DNSKEY removal" step as well. -- Alex _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
