On Mon, Mar 23, 2015 at 6:38 PM, Jan Včelák <jan.vce...@nic.cz> wrote:
> On 23.3.2015 18:26, Bob Harold wrote: > > I think we might need to allow for more than one NSEC5 key and chain, > > during a transition. Otherwise it might be impossible to later create a > > reasonable transition process. This might require us to tag the NSEC5 > > records with an id, so that the chains and matching keys can be > > distinguished. Better to do this now than to try to retrofit later. > > Please, can you clarify which transition process do you mean? > Transitioning from one NSEC5 key to another. I think the process would need to be: - add new NSEC5 key RR, but not used yet. Also add new private to all authoritative servers. - wait for new key to reach everywhere (propagation + ttl) - change all NSEC5 records in the zone. - wait for new records to reach everywhere - remove old NSEC5 key record. Also remove old private key from all authoritative servers. But for the servers and public to know which key to use, there will need to be some id that matches NSEC5 records to the matching NSEC5 key. That requires changing the format of the NSEC5 records, so it cannot be done later. > > A few minor corrections or suggestions: > > Thank you. These will be fixed in the next version. > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
