[Opendnssec-develop] KSK vs ZSK
roy at nominet.org.uk
Thu Mar 5 13:54:57 UTC 2009
Matthijs Mekking wrote on 03/05/2009 02:38:33 PM:
> The discussion continued at our office.
> RFC 4641 says the ZSK should sign all the RRsets.
> For the sake of OpenDNSSEC, perhaps we should add an attribute to keys
> called 'sign-what' or something, that can have the following values:
Okay, lets ignore the terminology SEP/KSK/ZSK for now.
> - sign nothing
> - sign all
> - sign all but keyset
> - sign only keyset.
> Makes sense?
Yes it does. We need to have a set of keys, that when combined, signs
everything in the zone (the keys need to complement each other), and also
note that overlap is not an issue.
I can think of a variety of 'ranges' for a key:
DNSSEC signing, three bits:
sign keyset: 001
sign data: 010
sign NSEC/3: 100
So, a key with range 7 would sign everything (similarly like a ZSK), and a
key with range 1 would be a KSK.
All the keys that are currently in use, must have a combined range of "7"
I can also see seperate DNSKEY uses, for instance signatures over SSHFP's
or over CERT records, which would automatically get a range of 0, and an
Just a thought,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop