-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Antoin,
I agree those signatures for the DNSKEY RRset with the ZSK are redundant. Also in Figure 9: Rollover for cooperating operators. Furthermore, in the STSS Rollovers, I think the DNSKEY_K_* notations should be replaced with DNSKEY_S_*. Best regards, Matthijs On 04/19/2011 11:59 AM, Antoin Verschuren wrote: > On 18-04-11 19:41, Peter Koch wrote: > >> Please review the document and send any comments you may have to the >> list. If you have no comments but support (or do not support) the >> document being published, please send that information to the list. > > Another observation on the examples in section 4.1.*: > > -I don't understand why the DNSKEY RRset should be signed with the ZSK. > It's not wrong, but I don't see the point of signing the DNSKEY RRset > with a ZSK. It's not needed and enlarges the zone. It's sufficiant if > the DNSKEY RRset is signed by the KSK only. > All RRSIG_Z_*(DNSKEY) can be removed. > > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNrp7BAAoJEA8yVCPsQCW5MugH/0TfLlGWdoAUHuZi07yXY3s4 EjhCU2Tp/qXMmlQxDsl5ifMAs+Gqmj0lFHglm+SOxwBgS8mdIwj/gV2tZWbffPYR 1AAoF3UPzZd+Ubkct04SmzneGmpaKGi3KZOJJOXXntqvM50/rGj/Aog4Ip8V1uxi MstFYFOcB+cCS6VlagDcHi1Z9Ze0URfZI14t+gqYP9g64EmA96Wrum9DxpmwZZq5 /au0RWyozfnpa0d84k9tS2FHFjZelpX+pEYBg1p3KBptpcPREuVz/S8U9UeSkepx NlxHk/hlc2dyz9Fd+txwB95gyNDtxNGeaHUhdBO5gSWS7iAAltoMc+iYReC0m9A= =zChq -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
