-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Resending my message because of the ietf mailing list problems - -------- Original Message -------- Subject: Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section Date: Fri, 05 Sep 2008 10:32:35 +0200 From: Jelte Jansen <[EMAIL PROTECTED]> To: Mark Andrews <[EMAIL PROTECTED]> CC: dnsop@ietf.org References: <[EMAIL PROTECTED]> Mark Andrews wrote: >> No. The DS / published trust anchor indicates support for >> the algorithm. Just having a DNSKEY at the apex does not >> indicate support for a algorithm. > We must be reading this part differently... There MUST be an RRSIG for each RRset using at least one DNSKEY of each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset itself MUST be signed by each algorithm appearing in the DS RRset located at the delegating parent (if any). What I'm getting from this is that the keyset at the apex must (at least) be signed by each algorithm in the DS referral, and every rrset in the zone must be signed by each algorithm in the apex keyset. Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIwVz34nZCKsdOncURAskUAKCyD/4RFmp5urc2aJjP1sZfdxcSTQCfVcWj kN7cm1ZnZqOqi8HfB16ECeo= =Z2Mw -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop