proposed new command line option for dnssec-signzone
Pierre Beyssac
pb at fasterix.frmug.org
Tue Sep 24 00:01:07 UTC 2013
Hi Evan,
On Mon, Sep 23, 2013 at 04:24:33PM +0000, Evan Hunt wrote:
> Hi Pierre,
>
> It wasn't unnoticed, just unanswered, and I apologize. I haven't
> had cycles to consider this yet.
Thanks for your reply. No worry, I apologize in turn, could have
waited longer ;)
> Incidentally, a good place to submit patches is actually
> bind-suggest at isc.org -- that goes into our ticketing system so
> we don't have rely on our faulty human brains to remember it.
Thanks, I didn't know that. I'll remember it next time.
> The first thought I had was to wonder whether we should add a
> new option or merely extend the -R option to do what you're asking.
> Are there circumstances when you'd need the current -R behavior but
> would *not* want the behavior that you're proposing for -1?
No.
-R seems to match RFC 4641 section 4.2.1.2 Double Signature Zone
Signing Key Rollover. So some people probably have a use for it,
but in my case I want to avoid that.
My patches implement RFC 4641 4.2.1.1 Pre-Publish Key Rollover.
I agree with you that on a logical point of view, -1 is just a
variation of -R since it simply causes the RRSIGs to be removed
sooner in the rollover procedure.
A given RRSIG cannot match at the same time both -R and -1 for
removal, so in theory you could have a file having both categories
of RRSIGs that you might want to remove in one step, but I can't
see a real world scenario for that.
--
Sent from my FreeBSD server on its IPv6 connection
Pierre Beyssac pb at fasterix.frmug.org
More information about the bind-workers
mailing list