And Mark's reply to my previous message:
-------- Original Message --------
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 18:39:49 +1000
From: Mark Andrews <[EMAIL PROTECTED]>
To: Jelte Jansen <[EMAIL PROTECTED]>
CC: [email protected]
> Mark Andrews wrote:
>>> No. The DS / published trust anchor indicates support for
>>> the algorithm. Just having a DNSKEY at the apex does not
>>> indicate support for a algorithm.
>
>
> We must be reading this part differently...
>
> There MUST be an RRSIG for each RRset using at least one DNSKEY of
> each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
> itself MUST be signed by each algorithm appearing in the DS RRset
> located at the delegating parent (if any).
>
>
> What I'm getting from this is that the keyset at the apex must (at
> least) be signed by each algorithm in the DS referral, and every rrset
> in the zone must be signed by each algorithm in the apex keyset.
>
which is referred to by a DS / trust anchor.
DNSKEY's are never referenced in isolation. There is always
a DS / trust anchor which specifies which algorithms are
in use.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
