[ksk-change] Testing new keys added
Michael StJohns
msj at nthpermutation.com
Fri Oct 10 19:55:36 UTC 2014
On 10/10/2014 3:08 PM, Richard Lamb wrote:
> Jakob's right. If I understand question correctly, you always need two KSK
> RRSIGs to be able to simultaneously validate with either TA. I learned that
> when I was testing ksrsigner.c for key rolls. -Rick
That's not what the stuff below was about exactly.
The issue is actually that the trust chains from A and B can't ever be
independent because both chains must pass through the monolithic signed
root DNSKEY RRSet. So its impossible to set up a zone that can *only*
be verified if you've installed "B" as a trust anchor. (*sigh* That's
not exactly the right way to say it but close enough for government
work....)
Mike
>
> -----Original Message-----
> From: ksk-rollover-bounces at icann.org [mailto:ksk-rollover-bounces at icann.org]
> On Behalf Of Jakob Schlyter
> Sent: Thursday, October 09, 2014 11:06 PM
> To: Paul Hoffman
> Cc: ksk-rollover at icann.org
> Subject: Re: [ksk-change] Testing new keys added
>
> On 10 okt 2014, at 04:19, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>
>> Assuming that a rollover uses the Double-KSK method described previously,
> is there an intention to test systems for the new SEP key before removing
> the old one? That is, if A is the current KSK and IANA adds B, after the
> 30-day hold-down time, either key could be used to sign zones in the root.
>
> No, both keys needs to sign the ZSK that signs the DS records in the root
> zone. And that invalidates the rest of your (otherwise interesting)
> proposal. Sorry :-/
>
> jakob
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141010/6fada4d3/attachment-0001.html>
More information about the ksk-rollover
mailing list