[Opendnssec-develop] KSK vs ZSK

Roy Arends roy at nominet.org.uk
Thu Mar 5 13:54:57 UTC 2009

Matthijs Mekking wrote on 03/05/2009 02:38:33 PM:

> The discussion continued at our office.
> RFC 4641 says the ZSK should sign all the RRsets.
> For the sake of OpenDNSSEC, perhaps we should add an attribute to keys
> called 'sign-what' or something, that can have the following values:

Okay, lets ignore the terminology SEP/KSK/ZSK for now.
> - sign nothing
> - sign all
> - sign all but keyset
> - sign only keyset.
> Makes sense?

Yes it does. We need to have a set of keys, that when combined, signs 
everything in the zone (the keys need to complement each other), and also 
note that overlap is not an issue.

I can think of a variety of 'ranges' for a key:

DNSSEC signing, three bits:

sign keyset: 001
sign data:   010
sign NSEC/3: 100

So, a key with range 7 would sign everything (similarly like a ZSK), and a 
key with range 1 would be a KSK.

All the keys that are currently in use, must have a combined range of "7"

I can also see seperate DNSKEY uses, for instance signatures over SSHFP's 
or over CERT records, which would automatically get a range of 0, and an 
associated range.

Just a thought,


Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/afe745f3/attachment.htm>

More information about the Opendnssec-develop mailing list