[Opendnssec-develop] KSK vs ZSK
Jakob Schlyter
jakob at kirei.se
Thu Mar 5 19:56:02 UTC 2009
On 5 mar 2009, at 14.54, Roy Arends wrote:
> DNSSEC signing, three bits:
>
> sign keyset: 001
> sign data: 010
> sign NSEC/3: 100
>
> So, a key with range 7 would sign everything (similarly like a ZSK),
> and a key with range 1 would be a KSK.
we need no bits, this is just in the instructions for the signer - we
could do something like:
<key>
...
<sign>keys</sign>
<sign>denial</sign>
<sign>data</sign>
<publish/>
</key>
<ksk> would be equal to <sign>keys</sign>
<zsk> would be equal to <sign>keys</sign><sign>denial</
sign><sign>data</sign>
jakob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/f36c9b7e/attachment.bin>
More information about the Opendnssec-develop
mailing list