Brian Kroth wrote:
>
> For instance, suppose I did the following:
>
> - gen new algorithm keys and sign with them
> - wait for some period then publish the new DS (old DS remains)
> - revoke the old algorithm KSK (leave the ZSK alone), which changes its DS
> fingerprint, so publish a new DS
It
Tony Finch 2013-01-17 12:02:
Brian Kroth wrote:
RFC 4035 sec 2.2 says
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the dele
Brian Kroth wrote:
>
> > RFC 4035 sec 2.2 says
> >
> > There MUST be an RRSIG for each RRset using at least one DNSKEY of
> > each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
> > itself MUST be signed by each algorithm appearing in the DS RRset
> > located at the delegating par
Brian Paul Kroth 2013-01-15 23:19:
Hello All,
First, I'm not currently on the list, so please CC if me if you could.
Let's try this again now that I'm on the list.
Next, I've been working on some scripts to get KSK rotation
semi-automated or at least alerting in our environment and I've got
4 matches
Mail list logo
