> On Fri, 2010-07-09 at 10:07 +0300, Ondřej Surý wrote: >> > Why do you need to add the DNSKEY of the previous KSK to the unsigned >> > zone? If someone has the old DNSKEY RRSIG cached, he/she also has the >> > old DNSKEYs cached and is able to validate the DNSKEY RRset. >> >> Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if >> they were same they will almost never be cached at the same time. > > I thought that an RRset and the corresponding RRSIGs should be cached as > an atomic entry. And according to RFC 4034 "The TTL value of an RRSIG RR > MUST match the TTL value of the RRset it covers."
Sorry, I was writing faster than thinking :). You're right. What I wrote applies only to ZSK. Ondrej -- Ondřej Surý <[email protected]> http://blog.rfc1925.org/ _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
