[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Resending my message because of the ietf mailing list problems
- -------- Original Message --------
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 10:32:35 +0200
From: Jelte Jansen <jelte at NLnetLabs.nl>
To: Mark Andrews <Mark_Andrews at isc.org>
CC: dnsop at ietf.org
References: <200809041352.m84DqvgV087671 at drugs.dv.isc.org>
Mark Andrews wrote:
>> No. The DS / published trust anchor indicates support for
>> the algorithm. Just having a DNSKEY at the apex does not
>> indicate support for a algorithm.
>
We must be reading this part differently...
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).
What I'm getting from this is that the keyset at the apex must (at
least) be signed by each algorithm in the DS referral, and every rrset
in the zone must be signed by each algorithm in the apex keyset.
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIwVz34nZCKsdOncURAskUAKCyD/4RFmp5urc2aJjP1sZfdxcSTQCfVcWj
kN7cm1ZnZqOqi8HfB16ECeo=
=Z2Mw
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop