Discussion moved from provreg mailing list to dnsop mailing list. The items discussed originally was draft-gieben-epp-keyrelay-00.txt but we now agree it is draft-koch-dnsop-dnssec-operator-change-04 we are discussing.
And, it is me thinking we complicate things too much. I am asking questions like a devils advocate so that Antoin (and Peter) convince me things must be this complicated. I made the claim that with double DS, both for old and new zone, we do not have to move the ZSK from old to new zone. Antoin say I am wrong (which I absolutely do believe I can be), but I want to understand. Antoin then wrote: > The problem is that a cache may have cached the DNSKEY RRset from the > old zone, and while that is still valid the NS RRset changes at the > parent and the resolver recieves a new NS (or other) RRset from the > new child zone with a new signature from the new ZSK that is not > present in the cached DNSKEY RRset thus failing validation. This can > only be solved if both DNSKEY RRsets contain both ZSK's from the new > and old child zone. Same as you would do with a pre-publish ZSK rollover. So, what we talk about is the case when different RRSets in the same zone are cached differently. Right? > Transferring and keeping the old zone data on the new nameserver does > not help, because at some point in time, at least the NS RRset needs > to change and a new signature needs to be generated over it by a new > ZSK that is not present in the DNSKEY RRset. A signature with the old > ZSK over this new NS RRset cannot be generated because the old private > ZSK is not available for signing by the new operator. Patrik _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
