7 Jan
2008
7 Jan
'08
2:24 p.m.
As a developer I have a question about revoke bits.
In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign (A+B+C) or does the signature from A only sign A? In theory, only the signing of A is required, but don't care about the additional signing of B+C. Signing more than simply A is nonsense, since the key is revoked. And aids storing a presigned-self-revocation for emergency use. However, that is not standard for RRset signatures.
Do signatures from B and C sign (A+B+C) or (B+C) ? They have to sign (A+B+C)
BTW, be aware of key tag changing if you set the revoke bit. Holger