-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rickard,
On 11/09/2010 10:40 AM, Rickard Bellgrim wrote: > I also think that it should be possible to send in a DS RR for which > there is no DNSKEY in the child zone. I know that there are > registries that disallow this and others allow this. The reason is to > not limit any (future) rollover mechanism. What we could say is that > there should be at least one of the DS RRs pointing to a DNSKEY. With multiple algorithms, multiple DS RRs must successfully point to a DNSKEY (that signs the DNSKEY rrset). A DS for every signing-algorithm-number present in the DS RRset must succeed. This also affects the disaster plans. In an algorithm rollover you must have disaster recovery keys for the new algorithm as well, and add and remove the disaster-recovery keys and DSes at the same time as the normal keys and DSes of that algorithm. If you have your disaster recovery key a different algorithm, then its DS publication would be an invalid chain of trust (for that algorithm). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZLZQACgkQkDLqNwOhpPi77gCcDiyt5Pm1qfbnIsLUblF529Yn CuAAn2R3E3wrR33E6yuO+QDTI661QMmo =DATD -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
