Correct, applied your corrected text to the work in progress document. Best regards, Matthijs
On 09/18/2012 01:55 PM, Tony Finch wrote: > Section 4.1.3. This description of a variant rollover is dangerous: the > new key must sign the DNSKEY RRset before the DS change, even if signing > the rest of the zone is delayed. > > This rollover has the drawback that it introduces double signatures > over all data of the zone. Taking these zone size considerations > into account, it is possible to not introduce the signatures made > with DNSKEY_S_2 at the "new DNSKEY" step. Instead, signatures of > DNSKEY_S_1 are replaced with signatures of DNSKEY_S_2 in an > additional stage between the "DS change" and "DNSKEY removal" step: > After the DS RRset containing DS_S_1 has expired from distant caches, > the signatures can be swapped. Only after the new signatures made > with DNSKEY_S_2 have been propagated, the old public key DNSKEY_S_1 > can be removed from the DNSKEY RRset. > > Corrected text: > > This rollover has the drawback that it introduces double signatures > over all data of the zone. Taking these zone size considerations > into account, it is possible to not introduce the signatures made > with DNSKEY_S_2 at the "new DNSKEY" step, except for the signature > over the DNSKEY RRset. Instead, signatures of DNSKEY_S_1 in the rest > of the zone are replaced with signatures of DNSKEY_S_2 in an > additional stage between the "DS change" and "DNSKEY removal" step: > After the DS RRset containing DS_S_1 has expired from distant caches, > the signatures can be swapped. Only after the new signatures made > with DNSKEY_S_2 have been propagated, the old public key DNSKEY_S_1 > can be removed from the DNSKEY RRset. > > Tony. >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
