Andrew Sullivan <[email protected]> wrote: > > For instance, people also express astonishment that DNSKEYs don't > expire. Everyone always has to be reminded that signatures expire, and > if you want to expire keys you take them out of the zone.
I agree with your message. It might be useful to explain this DNSKEY oddity by comparison with x.509 certificates. In particular, it's the cert that expires, not the key, and when you renew a cert you can re-use the same key. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Portland, Plymouth, North Biscay: Southerly or southwesterly 6 to gale 8 veering westerly or southwesterly 4 or 5, occasionally 6 later. Moderate or rough. Rain or showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
