-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2012 01:44 PM, Tony Finch wrote: > Matthijs Mekking <[email protected]> wrote: >> > > Most of your points look OK to me though I have not yet reviewed > the document in detail. I have a disagreement and a suggestion: > >> * Section 2.1. ZSK Rollovers >> >> - Bullet point 2, second paragraph. "Once the signing process is >> complete and enough time has elapsed to allow all old information >> to expire from caches, ...". It is actually more about the new >> information to propagate to caches, so I would suggest to replace >> it with: >> >> Once the signing process is complete and enough time has elapsed >> to allow all new information to propagate to caches, ... >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > No, I think the original text is correct. You can't remove the old > DNSKEY until all the old RRsets (and RRSIGs) have expired, and you > can't remove the old RRSIGs until the old DNSKEY RRsets have > expired. Whether the caches have the new data is irrelevant since > it's also OK for them to have no data. And when caches are filled > is not under the authority's control.
Good point. The reason why this text attracted my attention is that with ZSK Double-Signature, the "old information" will not expire from caches. The previous versions of the RRsets which contain *only* the predecessor DNSKEY and predecessor signatures expire from the caches. It will have either a replacement that contains *both* predecessor and successor DNSKEY and signatures, or it will have no replacement. So, "old information" is perhaps too loosely. Best regards, Matthijs > >> - Bullet point 1 says that the ZSK Double Signature rollover is >> also known as Double-DNSKEY. I have not heard of this term before >> reading this document. Is it really known as? > > Double-KSK would be a better term, since Double-DNSKEY sounds like > the normal steady state with a KSK and ZSK. > > Tony. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQSZ3kAAoJEA8yVCPsQCW5RiYIAJnSXoqGf5foJ4ElchWbp9gC KY5HtQJKynB0on5AHUTMUf1r8ccjFyjChlTj+3Plf2rlpTBJzZytmN7Zv6PEw5LM kO8NcG64NKT2wi5ca1N2053FTo+wGOu5yB/eV8gPBLnf9InKvkXkE4+gfE5rfaFC FgmUaj6AQHSxkt8q3Bizn6Wz0F92qNshyxqQCD6vQ6DWz2kJKgzmM4LZu0/Bju+U dB15Ik8e9qOAj0eewkiQ1S9eBh1nsjbnZiTELq9pr8Y9CGYXq5hwyFpMHEA3GbxM w9AnY7gzhtAjowbTlqqvwgvMJYYg4OfTZjX3gSNEqNMpKWEMYcfwTI+Rp0VfomY= =FcRv -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
