Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

[Jelte Jansen <jelte at NLnetLabs.nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Andrews wrote:
> 	It's not a issue.  You remove the DS's which have that
> 	algorithm then once they have expired from caches you can
> 	remove the DNSKEY.

That could still leave the zone itself in an inconsistent state... I'm
not talking about the DS<->child apex case, but the apex<->zone data case.

The DNSKEY that is removed or added doesn't have to be one that is
pointed to by a DS. Merely being present in the apex implies that there
should be signatures of that algorithm in the zone.

If you don't add/remove all keys at the same time, the first or last
DNSKEY couldn't even be a KSK; since those keys aren't used to sign the
zone data, having a KSK as the only key of a certain algorithm number
would always violate section 2.2.

Unless of course I am misreading that MUST there :)

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAki/444ACgkQ4nZCKsdOncVoEACg2XThBDfSoUosRQBUTDcL2jYg
bKkAoKNU4hLa/s5/xPlGVQp6XKXV7Uyv
=TLej
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop