[dns-wg] Re: [dns-wg] RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
-
To: "richard.lamb" <richard.lamb@localhost
-
From: Wouter Wijngaards wouter@localhost
-
Date: Mon, 07 Jan 2008 12:08:46 +0100
-
Cc: "'Holger Zuleger'" <Holger.Zuleger@localhost, "'DNSSEC deployment'" dnssec-deployment@localhost, "'Patrik Wallstrom'" pawal@localhost, Anne-Marie.Eklund-Lowinder@localhost, dns-wg@localhost
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As a developer I have a question about revoke bits.
In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign
(A+B+C) or does the signature from A only sign A?
Signing more than simply A is nonsense, since the key is revoked.
And aids storing a presigned-self-revocation for emergency use.
However, that is not standard for RRset signatures.
Do signatures from B and C sign (A+B+C) or (B+C) ?
How do revoke bit signatures work?
Best regards,
~ Wouter
richard.lamb wrote:
| I agree it would be unrealistic to set it for a production zone like .se
| yet.
| However, I like the idea of "exercising" the REVOKE bit so that potential
| developers see it.
| Would it break anything in BIND resolvers to do so?
| If not, id like to set it every time I change KSKs in our demo.
|
|
| -----Original Message-----
| From: DNSSEC deployment [ ] On
Behalf Of
| Holger Zuleger
| Sent: Friday, January 04, 2008 1:11 AM
| To: DNSSEC deployment
| Cc: Patrik Wallstrom; Anne-Marie.Eklund-Lowinder@localhost dns-wg@localhost
| Subject: Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE -
| New key signing key (KSK) for .SE
|
|
|
| Patrik Wallstrom wrote:
|> On Thu, 03 Jan 2008, Holger Zuleger wrote:
|>
|>>> New key signing key (KSK) for .SE
|>>> As from today, 2008-01-03 .SE publish and take into use a new KSK for
|>>> signing the .SE zone file. The key published with start 2006 with key
|>>> id = 17686 is unvalid since 2008-01-01 and will be removed
|>>> 2008-02-01. You should have configured the key published with start
|>> Would it be possible to set the REVOKE Bit on that key, and announce it
| for
|>> another 30 days?
|> There was no time to fix this for this rollover. Next time.
| Oh, sure, it's clear that no one want's to add a new functionality on a
| productive service without testing, even if it is just to set one bit.
| But I thought that it was a good time to bring rfc5011 in mind...
|
|>> Doing so enables a rfc5011 aware validator to discard the key
| automatically
|>> from the list of possible trust anchor.
|> Which resolvers honors the revocation bit? To my knowledge, no swedish
|> resolver operators are using such software yet.
| I think you are right. I guess that actually no one use it.
| Small question to all the dnssec operators: Please raise your hand if
| I'm wrong. ;-)
| And to the bind guys: Honors bind, used as an dnssec validator, the
| revoke bit?
|
| Holger
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHggg+kDLqNwOhpPgRAuHwAJ4ow2e4qwnt7Yb/eDk03VyHBS3ELQCfeciD
UJgy2s63Chz9Jw9YQGgYSRs=
=62zO
-----END PGP SIGNATURE-----
|
you are here: RIPE -> RIPE Maillists > Archives
