Dear WG,I've implemented parts from RFC4641 in an automated zone signing and key rollover tool. Currently I'm looking for extensions to use this tool for the rollover of keys on dynamic dns zones. In this context I think that section 4.2.1.1 "Pre-Publish Key Rollover" does not fulfill all the requirements of incremented signing or dynamic dns zones.
At the "new RRSIG" stage the assumption is that DNSKEY 11 is used to sign *all* the data in the zone. Then you have to wait the time it takes to propagate the new zone plus the maximum TTL of any data, before the removal of the old DNSKEY. While this is perfectly valid for static signed zones, it's quite difficult to specify the point in time when all the old RRSIG are removed from the zone if someone uses incremented zone signing or dynamic zones. To be on a save side, the waiting period should be the propagation delay plus the "Signature publication period" plus the maximum TTL of any data in the zone before removal of the old DNSKEY. Even if the current text is formal correct on this, I think it would be helpful to highlight this a bit more.
Maybe it's save to wait only "propagation delay" plus "signature validity period" because of the fact, that a ttl is never longer than the RRSIG lifetime of the record. But I'm not sure if this is an implementation behaviour (of BIND) or if this is a requiremnet by the dnssec protocol spec.
Best regards Holger Zuleger
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
