On 9 Jul 2010, at 20:41, Hugo Salgado wrote: >> But with the Double-signature method, besides the two KSK DNSKEY >> records, you need two *RRSIG* records, one with each KSK. >> >> I think the Double-DS method still fits in the process of IANA, >> if we take care that in the child you'll nedd to have the new KSK >> DNSKEY record published before submitting your new DS, but not signing >> with it. The only KSK RRSIG for the DNSKEY rrset should be with the old >> KSK.
OK, I see what you mean. > My proposal is to add to the Event 1 in 3.3.2 a paragraph like this: > > "If the parent zone policy requires a published DNSKEY before accept > a DS submission, add the key N into the DNSKEY RRset at this time, (or > any time before Event 2) is a standby state (not yet used to sign the > RRset)" My concern is whether this draft is the right place for such text. The IANA process is a special case and is not concerned with the timing issues that are the focus of the document; as such, it may belong more in something that describes how that timing sequence has been implemented in a particular case. Stephen _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
