[Opendnssec-develop] KSK vs ZSK
John Dickinson
jad at jadickinson.co.uk
Thu Mar 5 16:41:13 UTC 2009
On 5 Mar 2009, at 13:54, Roy Arends wrote:
> Matthijs Mekking wrote on 03/05/2009 02:38:33 PM:
>
> > The discussion continued at our office.
> > RFC 4641 says the ZSK should sign all the RRsets.
> > For the sake of OpenDNSSEC, perhaps we should add an attribute to
> keys
> > called 'sign-what' or something, that can have the following values:
>
> Okay, lets ignore the terminology SEP/KSK/ZSK for now.
>
> > - sign nothing
> > - sign all
> > - sign all but keyset
> > - sign only keyset.
> >
> > Makes sense?
>
> Yes it does. We need to have a set of keys, that when combined,
> signs everything in the zone (the keys need to complement each
> other), and also note that overlap is not an issue.
>
> I can think of a variety of 'ranges' for a key:
>
> DNSSEC signing, three bits:
>
> sign keyset: 001
> sign data: 010
> sign NSEC/3: 100
>
> So, a key with range 7 would sign everything (similarly like a ZSK),
> and a key with range 1 would be a KSK.
>
> All the keys that are currently in use, must have a combined range
> of "7"
>
> I can also see seperate DNSKEY uses, for instance signatures over
> SSHFP's or over CERT records, which would automatically get a range
> of 0, and an associated range.
>
Do we really need all this complexity? What is wrong with
KSK = SEP = Sign only DNSKEY RRSet.
ZSK = !SEP = Sign all RRSets.
This might be boring but it causes no surprises and is as people
expect when they read the Pro DNS and BIND book or the dnssec-keygen/
signzone man pages. One of the aims of OpenDNSSEC is to make DNSSEC
simple.
John
---
John Dickinson
http://www.jadickinson.co.uk
More information about the Opendnssec-develop
mailing list