-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As a developer I have a question about revoke bits. In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign (A+B+C) or does the signature from A only sign A? Signing more than simply A is nonsense, since the key is revoked. And aids storing a presigned-self-revocation for emergency use. However, that is not standard for RRset signatures. Do signatures from B and C sign (A+B+C) or (B+C) ? How do revoke bit signatures work? Best regards, ~ Wouter richard.lamb wrote: | I agree it would be unrealistic to set it for a production zone like .se | yet. | However, I like the idea of "exercising" the REVOKE bit so that potential | developers see it. | Would it break anything in BIND resolvers to do so? | If not, id like to set it every time I change KSKs in our demo. | | | -----Original Message----- | From: DNSSEC deployment [mailto:dnssec-deployment@shinkuro.com] On Behalf Of | Holger Zuleger | Sent: Friday, January 04, 2008 1:11 AM | To: DNSSEC deployment | Cc: Patrik Wallstrom; Anne-Marie.Eklund-Lowinder@iis.se; dns-wg@ripe.net | Subject: Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - | New key signing key (KSK) for .SE | | | | Patrik Wallstrom wrote: |> On Thu, 03 Jan 2008, Holger Zuleger wrote: |> |>>> New key signing key (KSK) for .SE |>>> As from today, 2008-01-03 .SE publish and take into use a new KSK for |>>> signing the .SE zone file. The key published with start 2006 with key |>>> id = 17686 is unvalid since 2008-01-01 and will be removed |>>> 2008-02-01. You should have configured the key published with start |>> Would it be possible to set the REVOKE Bit on that key, and announce it | for |>> another 30 days? |> There was no time to fix this for this rollover. Next time. | Oh, sure, it's clear that no one want's to add a new functionality on a | productive service without testing, even if it is just to set one bit. | But I thought that it was a good time to bring rfc5011 in mind... | |>> Doing so enables a rfc5011 aware validator to discard the key | automatically |>> from the list of possible trust anchor. |> Which resolvers honors the revocation bit? To my knowledge, no swedish |> resolver operators are using such software yet. | I think you are right. I guess that actually no one use it. | Small question to all the dnssec operators: Please raise your hand if | I'm wrong. ;-) | And to the bind guys: Honors bind, used as an dnssec validator, the | revoke bit? | | Holger | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHggg+kDLqNwOhpPgRAuHwAJ4ow2e4qwnt7Yb/eDk03VyHBS3ELQCfeciD UJgy2s63Chz9Jw9YQGgYSRs= =62zO -----END PGP SIGNATURE-----