<clueless *and* top-posting>
Okay, could you describe a situation where a KSK
rollover does *not* require replacement of trust
anchors?  I must be missing something...

</clueless *and* top-posting>

  --Rip 

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Olaf M. Kolkman
> Sent: Monday, June 13, 2005 10:08 AM
> To: [email protected]
> Subject: [dnsop] DOP #13: KSK/ZSK differences nit
> 
> 
> 
> 
> 
> Also see thread starting at:
>    http://darkwing.uoregon.edu/~llynch/dnsop/msg03465.html
> 
> 
> Ed was the last to repond:
> 
> > >>
> > >>  #4.2.3  Difference Between ZSK and KSK Rollovers
> > >>  #
> > >>  #   Note that KSK rollovers and ZSK rollovers are 
> different.  A zone-key
> > >>  #   rollover can be handled in two different ways: 
> pre-publish (Section
> > >>  #   Section 4.2.1.1) and double signature (Section 
> Section 4.2.1.2).
> > >>
> > >>  They really aren't that different - it's just the 
> interaction with the
> > >>  parent and waiting on the parent that is different.  To 
> a KSK, the "entire"
> > >>  zone is the DNSKEY set, as opposed to all sets for the ZSK.
> > >
> > >Suggestion
> > >
> > >    Note that KSK rollovers and ZSK rollovers are slightly 
> different.
> > >                                                  ^^^^^^^^
> > 
> > Maybe that's over simplifying it.
> > 
> > Note that a KSK rollover and a ZSK rollover are similar but 
> differ in 
> > one fundamental aspect.  KSK rollovers involve requesting action by 
> > the parent and the ensuing delay in waiting for it.  Other 
> than that, 
> > both can be achieved by pre-publishing the new key or by 
> using double 
> > signatures during the rollover.
> 
> Another try for draft text:
> 
>   Note that KSK rollovers and ZSK rollovers are different in the sense
>   that a KSK rollover requires interaction with the parent 
> (and possibly
>   replacing of trust anchors) and the ensuing delay waiting for it.
>  
> 
> 
> --Olaf
> 
> ---------------------------------| Olaf M. Kolkman
> ---------------------------------| RIPE NCC
> ---------------------------------| JID: olaf at jabber.secret-wg.org
> .
> dnsop resources:_____________________________________________________
> web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
> mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
> 
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Reply via email to