[Opendnssec-develop] KSK vs ZSK
matthijs at NLnetLabs.nl
Thu Mar 5 13:38:33 UTC 2009
Don't know what happened there. Here is the original message:
The discussion continued at our office.
RFC 4641 says the ZSK should sign all the RRsets.
For the sake of OpenDNSSEC, perhaps we should add an attribute to keys
called 'sign-what' or something, that can have the following values:
- sign nothing
- sign all
- sign all but keyset
- sign only keyset.
Jakob Schlyter wrote:
> john, jelte and I just had an interesting discussion on jabber.
> a KSK is a key that signs all DNSKEY RRset. we all agree on that.
> but does a ZSK sign all RRSETs or all non-DNSKEY RRsets? if so, a key
> can be both a KSK and a ZSK.
> so, dear list, please advice!
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 544 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-develop