Algorithm Key Rollover support

Open tobez opened this issue 13 years ago • 0 comments

Via Daniel Stirnimann:

there are multiple RRSIGs for every signed record
one or more DNSKEYs for some of those RRSIGs is missing
but there is at least one valid RRSIG for which a valid key is found, for every signed record

If so, then it might make sense to not consider this an error at all (or maybe add a policy check that will make such cases into errors, thus allowing the operator the degree of control you suggest, effectively).

Aug 15 '12 12:08 tobez