[Opendnssec-develop] KSK vs ZSK

Jelte Jansen jelte at NLnetLabs.nl
Thu Mar 5 13:40:52 UTC 2009

Rick van Rein wrote:
> Hi,
>> if so, a key  
>> can be both a KSK and a ZSK.
> Haha!  The idea of the distinction in names is to show their different
> functions.  If there's no difference you shouldn't use those names!

actually, in this case, the terms KSK and ZSK would change from being
key types to being separate key properties, which can both be either
true or false for any given key.

technically this would be an implementation detail with about the same
features as the list of attributes matthijs just mailed

(btw, 4641bis will contain something along the lines of 'ZSKs sign all
zone data, except perhaps the DNSKEY rrset)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/8a372bd9/attachment.bin>

More information about the Opendnssec-develop mailing list