Quoting Stephen Morris <[email protected]>:
On 9 Jul 2010, at 20:41, Hugo Salgado wrote:
But with the Double-signature method, besides the two KSK DNSKEY
records, you need two *RRSIG* records, one with each KSK.
I think the Double-DS method still fits in the process of IANA,
if we take care that in the child you'll nedd to have the new KSK
DNSKEY record published before submitting your new DS, but not signing
with it. The only KSK RRSIG for the DNSKEY rrset should be with the old
KSK.
OK, I see what you mean.
My proposal is to add to the Event 1 in 3.3.2 a paragraph like this:
"If the parent zone policy requires a published DNSKEY before accept
a DS submission, add the key N into the DNSKEY RRset at this time, (or
any time before Event 2) is a standby state (not yet used to sign the
RRset)"
My concern is whether this draft is the right place for such text.
The IANA process is a special case and is not concerned with the
timing issues that are the focus of the document; as such, it may
belong more in something that describes how that timing sequence has
been implemented in a particular case.
But that particular case could be the norm!
Currently, not only the root has this policy. RIPE[1] and .br[2] also
requires prepublication of dnskeys.
Hugo
[1]: http://www.ripe.net/rs/reverse/dnssec/registry-procedure.html
[2]: http://registro.br/faq/faq8.html#18 (portuguese only)
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
