In message <[email protected]>, Matt Larson writes:
> On Wed, 11 Mar 2009, Mark Andrews wrote:
> >
> > In message <[email protected]>, Matt Larson writ
> es:
> > > Mark,
> > >
> > > On Wed, 11 Mar 2009, Mark Andrews wrote:
> > > > [...] it is impossible to convert a DS to a DNSKEY prior to the
> > > > publication of the DNSKEY in the DNS.
> > >
> > > Why would a validator ever need to do this?
> >
> > Because it makes it possible to change DNSKEYs without
> > having to have both the old and new key present in the zone
> > at the same time.
>
> I don't see it. Please explain further.
>
> Matt
I have a new key I want to introduce. I add the DS to the
parent zone at least the ttl(ds) before I start using that
key in the zone. After the DS has been published for ttl(ds)
I can then replace the DNSKEY referred to by the old DS
with that of the new DS and re-sign the DNSKEY RRset. Once
the ttl(dnskey) has expired I can remove the old DS from
the parent zone.
I wish to be able to do something similar with trust anchors.
Publishing DS prevents me from doing so.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
