On Dec 4, 2008, at 12:23, Ondřej Surý wrote:
Or owner can publish two RKEYs and start encrypting with second keyafter all caches are clear. (similar to pre-publish method of rotatingDNSKEYs). Or am I missing something?
Yes. Implementation details that are not germane to what should be getting discussed here: namely the template and type code assignment.
I have already stated key rollover is not necessary. An RKEY is bound to a bunch of encrypted NAPTRs. Both get generated and managed as a single entity. [This is from an implementation perspective, not from a DNS protocol perspective.] If they are not co-ordinated in that way, bad things will happen to whoever broke that linkage. Their problem. Not this WG's. From a DNS protocol point of view this is no different from having an MX record point at a non-existent hostname.
-- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>