-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
> > But, hum, how can a tool like validns know things the auditor did, > > Just parse the signconf.xml You'd be checking up on a tool, but at the same time trusing it? My response would've been "just look in authoritative DNS for its current state". The tedious and cautious thing to do would be to look at _all_ authoritative DNS servers to be certain that a RR is either available or absent on all. For most things, availability on all authoritative DNS servers _and_ the new zone data would function to ensure that a signature will go through. I can see one exception to this, namely when multiple signing algorithms are used. Algorithms would be triggered when available on _some_ authoritative DNS server _or_ the new zone data. This would trigger a validation in which all signing algorithms must individually succeed, as stated in the RFCs. The combination is quite tight: if either version of the zone data refers to an algorithm, then all versions of the zone data must hold the key/signature material to verify it. - -Rick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html iEYEARECAAYFAk9YnzcACgkQFBGpwol1RgaKPACfYn+n8CG+C3ck6J548UB8Fymz X2UAoI22J8zTlADMiR3idmgiySa9Upsn =3Aew -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
