-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20-04-11 11:06, Matthijs Mekking wrote:
Hi Matthijs, > > I don't think the Double-DS is mandatory, you can still accommodate the > secure child dns operator change with the ZSK Pre-Publish/ KSK > Double-Signature approach (Figure 9). Aagh, I missed that one. Figure 9 is not possible! RRSIG_K_B(DNSKEY) can never be generated at child A, because he does not have B's private key ! Same for RRSIG_K_A(DNSKEY) at child B. Child B cannot create sigs with child A's private key ! This example is wrong. Really, the only way it can work is with double-DS Child A can only generate RRSIG_K_A(DNSKEY) and child B can only generate RRSIG_K_B(DNSKEY) Both DS_A and DS_B need to be at the parrent for the rollover. - -- Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:[email protected] xmpp:[email protected] http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNrq03AAoJEDqHrM883AgnMFYIAM89rhb2TZIJk/AaJHDAHniW 3bTbbRKureJz1xNr0sMTXr3cpJ/jxzIxsG8MgivvL++DvgNTQdqJlTzqoR4sFUcr to6J7hZEZZmquo58MTeBWMFlepHRJVKk3jiJKUvP+9Q1mxSAAtP/E80VyAXTywH1 HvT9VunB29sQ2xI/w9MhkeP3zAQtoCFDMRb93kkcmhRbOU3Jud79PKcpu0IjDS7J 6M2dilK5L41XU/7tD8SrRTbiEWJvgTeRljeBpwmBWlmGfB5hPAAKBgDH1Rp7tAzR xoRE0p0UJoKIFPqTal4Kmds6R4aPmPS3T/qzZuG8VyZJbDDtaN+NPa24MCdAVzE= =9Ogx -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
