On Sep 30, 2010, at 3:03 PM, Matthijs Mekking wrote a long mail starting with: > > On the dnssec-deployment list, the Signed TLD status thread [1] evolved > into a discussion how algorithm rollover works in specific use cases. My > feeling is that this discussion belongs to DNSOP and so I want to share
Key to that message was the distinction of 3 cases for algorithm rollover
>
>
> Now there are other use cases:
> a) Single Type Signing Scheme Algorithm Rollover
> b) Trust Anchor Algorithm Rollover (5011 may be used)
> c) Both a) and b).
>
> a
> pre-published, in step 2 (new RRSIGs). The shadow key must be removed at
> the same time the revoked KSK_1 is removed from the zone.
I have taken a stab at differentiating these cases and guiding the reader
through in what will be subsections of section 4.1.5. The figures provided will
be added to an appendix.
Updated draft to be posted by the cut-off.
Thanks
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
