DNSSEC at IANA - was Re: meeting announcement: 3 October 2007
Ed.Lewis at neustar.biz
Fri Sep 28 14:10:07 EDT 2007
At 12:04 -0400 9/28/07, James M Galvin wrote:
>* DNSSEC @ IANA - Tech Talk
I have a question that can be pinned to slide 9.
Regarding the classification of the ZSK's, I assume that:
Old = no signatures generated with that (private-component) key are
still in the authoritative zone, caches may still hold signatures of
Active = the key that has generated all of the signatures in the
New = the key hasn't generated any signatures yet
I assume that the signature validity period is roughly equal to the
24 hours from the time it is generated to the time of the next
signing run. So the old key is really only needed for 1 or 2 days
after it is superceded.
The part that related to slide 9 specifically - if the "old" key is
compromised, why bother to replace it?
Edward Lewis +1-571-434-5468
Think glocally. Act confused.
More information about the Dnssec-deployment