hi,
Were having the following problem.
I'm playing a registry, and for now i have 1 child: nlnetlabs.nl.nl.
The child want to be secure, so it sends a keyset to me.
That keyset contains the public key and a sig with
an expiration and inception time.
Now it is time for the registry to sign the key of nlnetlabs.nl.nl.
So i give the following command:
/nlnl/sbin/dnssec-signkey nlnetlabs.nl.nl.keyset ../Knl.nl.+001+26773.private
This results in nlnetlabs.nl.nl.signedkey with the _same_
expiration and inception time as the original keyset.
When this sigs expires and the registry wants to resign the keyset, it
must get a new keyset from the child.
Is this really necessary? Why not only send a key to the registry?
grtz Miek
NLnet Labs
