Hi -
I had someone ask me (last night!!) whether or not the "must sign each
RRSet with all of the algorithms in the DNSKEY RRSet" rule applies if
the only key with algorithm A in the RRSet has the revoke bit set. A
question I had never previously considered.
Given that you can't trace trust through that revoked key, and any RRSig
originated by that key is just extraneous bits, I came to three
conclusions: 1) A key must not be counted for the purposes of the rule
if it has the (RFC5011) revoke bit set, (s) the only RRSigs created by a
revoked key are over the DNSKEY RRSet and 3) it's possible/probable that
interpretations could differ.
I tagged this email with the algorithm update ID/RFC candidate because
about the only time you're going to see a revoked singleton key of a
given algorithm is when you're transitioning the algorithms for the zone.
I hesitate to ask - and apologize for asking given the late date for
this document, but should the statements (1) and (2) above or something
similar be included in this document for completeness?
Alternatively, what breaks if publishers omit the extraneous signatures
just because?
Later, Mike
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
