[Opendnssec-develop] KSK vs ZSK

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Mar 5 13:38:33 UTC 2009

Don't know what happened there. Here is the original message:

The discussion continued at our office.
RFC 4641 says the ZSK should sign all the RRsets.
For the sake of OpenDNSSEC, perhaps we should add an attribute to keys
called 'sign-what' or something, that can have the following values:

- sign nothing
- sign all
- sign all but keyset
- sign only keyset.

Makes sense?


Jakob Schlyter wrote:
> hi,
> john, jelte and I just had an interesting discussion on jabber.
> a KSK is a key that signs all DNSKEY RRset. we all agree on that.
> but does a ZSK sign all RRSETs or all non-DNSKEY RRsets? if so, a key
> can be both a KSK and a ZSK.
> so, dear list, please advice!
>     jakob
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/fa498dd7/attachment.bin>

More information about the Opendnssec-develop mailing list