[dns-wg] Re: [dnssec-deployment] [dns-wg] RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
Holger Zuleger Holger.Zuleger at hznet.de
Mon Jan 7 14:24:22 CET 2008
> As a developer I have a question about revoke bits. > > In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign > (A+B+C) or does the signature from A only sign A? In theory, only the signing of A is required, but don't care about the additional signing of B+C. > Signing more than simply A is nonsense, since the key is revoked. > And aids storing a presigned-self-revocation for emergency use. > However, that is not standard for RRset signatures. > > Do signatures from B and C sign (A+B+C) or (B+C) ? They have to sign (A+B+C) BTW, be aware of key tag changing if you set the revoke bit. Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5006 bytes Desc: S/MIME Cryptographic Signature URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20080107/bc4244bf/attachment.bin>
[ dns-wg Archives ]