-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Antoin,
It is assumed that in the cooperating case, both operators allow publishing of the signatures. So they don't create the signature themselves, they merely copy the signature and publish it in their version of the zone. Best regards, Matthijs On 04/20/2011 11:53 AM, Antoin Verschuren wrote: > On 20-04-11 11:06, Matthijs Mekking wrote: > > Hi Matthijs, > > >> I don't think the Double-DS is mandatory, you can still accommodate the >> secure child dns operator change with the ZSK Pre-Publish/ KSK >> Double-Signature approach (Figure 9). > > Aagh, I missed that one. > Figure 9 is not possible! > > RRSIG_K_B(DNSKEY) can never be generated at child A, because he does not > have B's private key ! > Same for RRSIG_K_A(DNSKEY) at child B. Child B cannot create sigs with > child A's private key ! > > This example is wrong. > > Really, the only way it can work is with double-DS > > Child A can only generate RRSIG_K_A(DNSKEY) > and child B can only generate RRSIG_K_B(DNSKEY) > > Both DS_A and DS_B need to be at the parrent for the rollover. > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNrq5jAAoJEA8yVCPsQCW5VzcIAM86FiZLKoWH6pbOw++dyU8T DOPVVOd8IVkebTvdA/45fr1KGG4p8mGd9hFPrTd77d41WWx2EeX8vYxzibnaVlUn u/6ShOeEWfIBweRBAOnog+Mgi/g9EM6Mi3px+koQLkwBykoTwrAAZ1gPtwoIw0OL dekY2FBe2w/L8dLLO/pnLpOY9c+wkuHiUKqmMNYRjwrpkOW+lpxEiU/RwHbmCDQK I2pm9h6A8Pc3Y4ZMK6mCMA8xE2gN5Diti6rp5wMNHHQd07cAARx07QQWhaC9NXI1 mEnSP2cvTMh8rM1zmSzLZ4BIrsX2kK+2T20mET/I5GpAWRkmnNi4X0CzZOAUUdc= =XslP -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
