proposed new command line option for dnssec-signzone
pb at fasterix.frmug.org
Tue Sep 24 00:01:07 UTC 2013
On Mon, Sep 23, 2013 at 04:24:33PM +0000, Evan Hunt wrote:
> Hi Pierre,
> It wasn't unnoticed, just unanswered, and I apologize. I haven't
> had cycles to consider this yet.
Thanks for your reply. No worry, I apologize in turn, could have
waited longer ;)
> Incidentally, a good place to submit patches is actually
> bind-suggest at isc.org -- that goes into our ticketing system so
> we don't have rely on our faulty human brains to remember it.
Thanks, I didn't know that. I'll remember it next time.
> The first thought I had was to wonder whether we should add a
> new option or merely extend the -R option to do what you're asking.
> Are there circumstances when you'd need the current -R behavior but
> would *not* want the behavior that you're proposing for -1?
-R seems to match RFC 4641 section 220.127.116.11 Double Signature Zone
Signing Key Rollover. So some people probably have a use for it,
but in my case I want to avoid that.
My patches implement RFC 4641 18.104.22.168 Pre-Publish Key Rollover.
I agree with you that on a logical point of view, -1 is just a
variation of -R since it simply causes the RRSIGs to be removed
sooner in the rollover procedure.
A given RRSIG cannot match at the same time both -R and -1 for
removal, so in theory you could have a file having both categories
of RRSIGs that you might want to remove in one step, but I can't
see a real world scenario for that.
Sent from my FreeBSD server on its IPv6 connection
Pierre Beyssac pb at fasterix.frmug.org
More information about the bind-workers