Re: [dnssec-deployment] [dns-wg] RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE - dns-wg

7 Jan 2008


      ...
As a developer I have a question about revoke bits.
In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign
(A+B+C) or does the signature from A only sign A?
In theory, only the signing of A is required, but don't care about the 
additional signing of B+C.
Signing more than simply A is nonsense, since the key is revoked.
And aids storing a presigned-self-revocation for emergency use.
However, that is not standard for RRset signatures.
Do signatures from B and C sign (A+B+C) or (B+C) ?
They have to sign (A+B+C)
BTW, be aware of key tag changing if you set the revoke bit.
  Holger

Re: [dnssec-deployment] [dns-wg] RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE

Holger Zuleger

tags

participants (1)