I agree with Matthijs. Looking at 6781 that makes the most sense.
tim
On Tue, Oct 25, 2016 at 8:17 AM, Matthijs Mekking
wrote:
>
>
> On 25-10-16 15:15, Marcos Sanz wrote:
>
>> Matthijs,
>>
>> my attention has been brought to the KSK rollover double-signature
>>>
On 25-10-16 15:15, Marcos Sanz wrote:
Matthijs,
my attention has been brought to the KSK rollover double-signature
style
described in 6781 and what I think is a mistake/oblivion there.
Section
4.1.2 states
[...]
You are right: DS_K_2 may only be provided to the parent *after* the TTL
Matthijs,
> > my attention has been brought to the KSK rollover double-signature
style
> > described in 6781 and what I think is a mistake/oblivion there.
Section
> > 4.1.2 states
[...]
> You are right: DS_K_2 may only be provided to the parent *after* the TTL
> of DNSKEY_K_1 has passed.
Hi Marc,
> For .nl we have rolled the KSK conform the double KSK method as
described in RFC7583. We didn't notice a mistake or oblivion there :-0
please consider that my comment applied only to RFC 6781.
Best,
Marcos
___
DNSOP mailing list
To: Marcos Sanz <s...@denic.de>; dnsop@ietf.org
Subject: Re: [DNSOP] RFC 6781 and double signature KSK rollover
Hi Marco,
On 24-10-16 17:47, Marcos Sanz wrote:
> Hi all,
>
> my attention has been brought to the KSK rollover double-signature
> style described in 6781 and what I
Hi Marco,
On 24-10-16 17:47, Marcos Sanz wrote:
Hi all,
my attention has been brought to the KSK rollover double-signature style
described in 6781 and what I think is a mistake/oblivion there. Section
4.1.2 states
initial: Initial version of the zone. The parental DS points to
Hi all,
my attention has been brought to the KSK rollover double-signature style
described in 6781 and what I think is a mistake/oblivion there. Section
4.1.2 states
> initial: Initial version of the zone. The parental DS points to
> DNSKEY_K_1. Before the rollover starts, the child