[Opendnssec-develop] KSK vs ZSK
Rick van Rein
rick at openfortress.nl
Thu Mar 5 13:35:33 UTC 2009
The path down ( DS / KSK / ZSK / RR ) is always traversed in the same
direction, so if you use both KSK and ZSK in a zone, without a need to
step back or sideways from ZSK to a(nother) ZSK or KSK.
> a KSK is a key that signs all DNSKEY RRset. we all agree on that.
> but does a ZSK sign all RRSETs or all non-DNSKEY RRsets?
I cannot think of situations where ZSK-signed DNSKEYs pose a problem; and
I cannot think of situations where ZSK-signed DNSKEYs are of any use.
No signing DNSKEYs with the ZSK would save wire bits, and that weak
reason is all I can think of.
> if so, a key
> can be both a KSK and a ZSK.
Haha! The idea of the distinction in names is to show their different
functions. If there's no difference you shouldn't use those names!
More information about the Opendnssec-develop