On Fri, 2010-07-09 at 10:07 +0300, Ondřej Surý wrote: > > Why do you need to add the DNSKEY of the previous KSK to the unsigned > > zone? If someone has the old DNSKEY RRSIG cached, he/she also has the > > old DNSKEYs cached and is able to validate the DNSKEY RRset. > > Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if > they were same they will almost never be cached at the same time.
I thought that an RRset and the corresponding RRSIGs should be cached as an atomic entry. And according to RFC 4034 "The TTL value of an RRSIG RR MUST match the TTL value of the RRset it covers." Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
