[Opendnssec-develop] KSK vs ZSK
roy at nominet.org.uk
Thu Mar 5 13:41:30 UTC 2009
Jakob Schlyter wrote on 03/05/2009 02:22:17 PM:
> john, jelte and I just had an interesting discussion on jabber.
> a KSK is a key that signs all DNSKEY RRset. we all agree on that.
> but does a ZSK sign all RRSETs or all non-DNSKEY RRsets? if so, a key
> can be both a KSK and a ZSK.
> so, dear list, please advice!
Technically (protocol wise) it doesn't matter as long as every
authoritative RRset is signed by at least one key of each key algorithm of
keys present in the apex. The difference in KSK and ZSK (the SEP bit) is
solely cosmetic and must completely ignored by validators. So, you could
have K1, K2 and K3. where K1 signs the keyset, K2 signs all the NSEC(3)
records, and K3 signs the rest of the data. This could also be done by one
Note that, as long as the algorithm is the same for the KSK and the ZSK,
signatures made by the ZSK over the DNSKEY RRset are redundant. This would
be a very small optimization, and probably not worth the effort.
The 'term' KSK and ZSK is coined for operators. I have no idea where it
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop