[Opendnssec-develop] KSK vs ZSK

Rick van Rein rick at openfortress.nl
Thu Mar 5 13:48:38 UTC 2009


> For the sake of OpenDNSSEC, perhaps we should add an attribute to keys
> called 'sign-what' or something, that can have the following values:
> - sign nothing
> - sign all
> - sign all but keyset
> - sign only keyset.
> Makes sense?

I wonder if this isn't cluttering the user interface with details that
are of no significant consequence.  The choice is non-deterministic,
as far as I can tell.  That means you are free to choose what you
prefer, and the accepting side ought to be liberal in what it accepts.

Keep in mind that OpenDNSSEC is supposed to be "plug and play", so it
makes no sense to me to add GUI frills for unimportant choices that
need a lot of explanation!


More information about the Opendnssec-develop mailing list