Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

[Jelte Jansen <jelte at NLnetLabs.nl>]

And Mark's reply to my previous message:

-------- Original Message --------
Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
Date: Fri, 05 Sep 2008 18:39:49 +1000
From: Mark Andrews <Mark_Andrews at isc.org>
To: Jelte Jansen <jelte at NLnetLabs.nl>
CC: dnsop at ietf.org


> Mark Andrews wrote:
>>> 	No.  The DS / published trust anchor indicates support for
>>> 	the algorithm.  Just having a DNSKEY at the apex does not
>>> 	indicate support for a algorithm.
> 
> 
> We must be reading this part differently...
> 
>    There MUST be an RRSIG for each RRset using at least one DNSKEY of
>    each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
>    itself MUST be signed by each algorithm appearing in the DS RRset
>    located at the delegating parent (if any).
> 
> 
> What I'm getting from this is that the keyset at the apex must (at
> least) be signed by each algorithm in the DS referral, and every rrset
> in the zone must be signed by each algorithm in the apex keyset.
> 
 	which is referred to by a DS / trust anchor.

 	DNSKEY's are never referenced in isolation.  There is always
 	a DS / trust anchor which specifies which algorithms are
 	in use.

 	Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop