[Opendnssec-develop] KSK vs ZSK

Jakob Schlyter jakob at kirei.se
Thu Mar 5 19:56:02 UTC 2009


On 5 mar 2009, at 14.54, Roy Arends wrote:

> DNSSEC signing, three bits:
>
> sign keyset: 001
> sign data:   010
> sign NSEC/3: 100
>
> So, a key with range 7 would sign everything (similarly like a ZSK),  
> and a key with range 1 would be a KSK.

we need no bits, this is just in the instructions for the signer - we  
could do something like:

<key>
	...
	<sign>keys</sign>
	<sign>denial</sign>
	<sign>data</sign>
	<publish/>
</key>

<ksk> would be equal to <sign>keys</sign>
<zsk> would be equal to <sign>keys</sign><sign>denial</ 
sign><sign>data</sign>


	jakob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/f36c9b7e/attachment.bin>


More information about the Opendnssec-develop mailing list