[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt

To: Edward Lewis <edlewis@arin.net>
Subject: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
From: Olaf Kolkman <olaf@ripe.net>
Date: Tue, 24 Dec 2002 14:27:38 +0100
Cc: Mark.Andrews@isc.org, "Scott Rose" <scottr@antd.nist.gov>, namedroppers@ops.ietf.org
In-reply-to: Message from Edward Lewis <edlewis@arin.net> of "Fri, 20 Dec 2002 18:08:29 EST." <a05111b03ba29513ec03a@[204.152.189.47]>



 * In the signer, the bit must only be used to prepare the key for 
 * exposure to the parent for DS RR processing.  (Note: I do not mean 
 * the signer must use the bit to prepare the key for sending to the 
 * parent.  I mean that the signer, if the implementation chooses to do 
 * so at all, must *only* use the bit for that purpose.)


Bind's dnssec-signzone now uses -k <KSKs> to indicate which keysigning
keys. I would love  to see the bit used so that  <KSKs> do not need to
be specified and  the -k flag (or whatever letter  you want to assign)
only is sufficient. As a result  of using the flag you would have your
pre-prepared   keysets,   epp  encapulation   or   registry  form   as
output... but that is up to the implementor and it's clients.

The draft does specifically say that the bit does NOT modify the
protocol and MUST NOT be used during verification.

 * In the key generator, the bit can be set.

That would be  handy :-).

--Olaf

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
  - From: Edward Lewis <edlewis@arin.net>

Prev by Date: Re: DNSEXT WGLC Summary: Opcode-discover-00
Next by Date: list policy
Previous by thread: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
Next by thread: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
Index(es):
- Date
- Thread