[Opendnssec-develop] KSK vs ZSK

Jakob Schlyter jakob at kirei.se
Thu Mar 5 19:56:02 UTC 2009

On 5 mar 2009, at 14.54, Roy Arends wrote:

> DNSSEC signing, three bits:
> sign keyset: 001
> sign data:   010
> sign NSEC/3: 100
> So, a key with range 7 would sign everything (similarly like a ZSK),  
> and a key with range 1 would be a KSK.

we need no bits, this is just in the instructions for the signer - we  
could do something like:


<ksk> would be equal to <sign>keys</sign>
<zsk> would be equal to <sign>keys</sign><sign>denial</ 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/f36c9b7e/attachment.bin>

More information about the Opendnssec-develop mailing list