On Mon, 23 Oct 2000, Miek Gieben wrote:
> Were having the following problem.
>
> I'm playing a registry, and for now i have 1 child: nlnetlabs.nl.nl.
>
> The child want to be secure, so it sends a keyset to me.
> That keyset contains the public key and a sig with
> an expiration and inception time.
>
> Now it is time for the registry to sign the key of nlnetlabs.nl.nl.
> So i give the following command:
> /nlnl/sbin/dnssec-signkey nlnetlabs.nl.nl.keyset ../Knl.nl.+001+26773.private
>
> This results in nlnetlabs.nl.nl.signedkey with the _same_
> expiration and inception time as the original keyset.
This is an omission in dnssec-signkey. It will be in a later version,
probably bind 9.1. The plan was to have the child specify a validity
period that it desired, but this could be overridden by the parent.
> When this sigs expires and the registry wants to resign the keyset, it
> must get a new keyset from the child.
>
> Is this really necessary? Why not only send a key to the registry?
Several reasons. As Ed mentioned, the TTL needs to be included.
Including a hint as to the validity period is also useful. Also,
dnssec-signkey can attempt to verify the SIG records, which shows that the
creator of the key set possessed the private keys associated with the
public keys in the file.
Brian
