A fine bit of epistemology lies in the question: is it the same certificate, if you re-issue it with the same keys? No, because it has a different serial. but the crypto doesn't care, its the validation which cares which is a product of the crypto. so validation cares but cryptographic functions themselves, not such.
The nice thing about bare key cryptography, is that fish don't need bicycles. Dates are dates and validity intervals are a thing, but you can re-bake as many times as you like if there is nothing embedded in the structure like a serial. Oh wait.. we sign the SOA don't we... I (for one) hang onto the .req file. Maybe thats naughty, but I do, so in my case Warren routine is that the keypair is being reused, because.. well.. because I like to. Software I consume I suspect (like you) doesn't, and re-mints shiny new keys now with added keynomium, but when I do it by hand? yes I reuse the .req file. But I am probably being led into bad places as a result. I am sure wiser heads will say. On Fri, Jul 21, 2017 at 1:46 PM, Warren Kumari <war...@kumari.net> wrote: > On Fri, Jul 21, 2017 at 1:36 PM, Tony Finch <d...@dotat.at> wrote: >> Andrew Sullivan <a...@anvilwalrusden.com> wrote: >>> >>> For instance, people also express astonishment that DNSKEYs don't >>> expire. Everyone always has to be reminded that signatures expire, and >>> if you want to expire keys you take them out of the zone. >> >> I agree with your message. >> >> It might be useful to explain this DNSKEY oddity by comparison with x.509 >> certificates. In particular, it's the cert that expires, not the key, and >> when you renew a cert you can re-use the same key. > > > Yeah, you *can* reuse the same key, but (I suspect) most don't -- from > what I've seen, then general process is: > 1: Erk! My cert is about to / has just expired!!! > 2: Search for and follow some online recipe related to "make ssl certificate" > 3: ???? > 4: Go back to sleep. > > I think that (but would be happy to be proven wrong) that most > certificate renewals[0] involve a change of keys too. > > W > [0]: Well, "legacy certs", excluding sexy new things like LE / ACME, etc. > >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode >> Portland, Plymouth, North Biscay: Southerly or southwesterly 6 to gale 8 >> veering westerly or southwesterly 4 or 5, occasionally 6 later. Moderate or >> rough. Rain or showers. Good, occasionally poor. >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
