[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Andrews wrote:
>
> What I'm getting from this is that the keyset at the apex must (at
> least) be signed by each algorithm in the DS referral, and every rrset
> in the zone must be signed by each algorithm in the apex keyset.
>
>> which is referred to by a DS / trust anchor.
>
>> DNSKEY's are never referenced in isolation. There is always
>> a DS / trust anchor which specifies which algorithms are
>> in use.
>
is that actually said anywhere in the DNSSEC RFCs?
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIwliF4nZCKsdOncURAqMFAKDHV8eQ9E8zLnr5FsSvBL+wkWPgtQCgln2n
xKvYKLTX8DkH9A5QMvoDgTE=
=szS2
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop