-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi George,
On 06/24/2010 11:59 AM, George Barwood wrote: > It could also note that validators SHOULD NOT check the RRSIG for a DNSKEY > RRset > where all the keys are validated by DS records. This is not possible, and Casey thought similarly, so here is text: The RRSIG from a DNSKEY identified by a DS record must validate. You must do this to ensure that you have obtained all DNSKEY RRs. And thus know all of the algorithms in use. And thus know which algorithms MUST have signatures over the zone content. This is from RFC4035. > There is no need for the DNSKEY RRset to be signed in this case, although of > course > for compatibility it is necessary - but maybe one day in the very far future > the SHOULD > above can become a MUST, and the requirement to provide an RRSIG can even > later be relaxed. No. Algorithm rollover is very important, as one day cryptography advances may impose new algorithm constraints. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkwjNa4ACgkQkDLqNwOhpPgi0ACgjxFbRXFHPhoG0C/olJt7QdDf dRAAoKjSPZK+RVlSMjyLbEgMDn3fBV/F =UkYT -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop