DNSSEC at IANA - was Re: meeting announcement: 3 October 2007

[Edward Lewis]

At 12:04 -0400 9/28/07, James M Galvin wrote:

>* DNSSEC @ IANA - Tech Talk
...
>  http://www.dnssec-deployment.org/wg/materials/20071003/

I have a question that can be pinned to slide 9.

Regarding the classification of the ZSK's, I assume that:

Old = no signatures generated with that (private-component) key are 
still in the authoritative zone, caches may still hold signatures of 
this key

Active = the key that has generated all of the signatures in the 
authoritative zone

New = the key hasn't generated any signatures yet

I assume that the signature validity period is roughly equal to the 
24 hours from the time it is generated to the time of the next 
signing run.  So the old key is really only needed for 1 or 2 days 
after it is superceded.

The part that related to slide 9 specifically - if the "old" key is 
compromised, why bother to replace it?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.