[Opendnssec-develop] KSK vs ZSK
Olaf Kolkman
olaf at NLnetLabs.nl
Thu Mar 5 20:17:20 UTC 2009
On 5 mrt 2009, at 20:56, Jakob Schlyter wrote:
> On 5 mar 2009, at 14.54, Roy Arends wrote:
>
>> DNSSEC signing, three bits:
>>
>> sign keyset: 001
>> sign data: 010
>> sign NSEC/3: 100
>>
>> So, a key with range 7 would sign everything (similarly like a
>> ZSK), and a key with range 1 would be a KSK.
>
> we need no bits, this is just in the instructions for the signer -
> we could do something like:
>
> <key>
> ...
> <sign>keys</sign>
> <sign>denial</sign>
> <sign>data</sign>
> <publish/>
> </key>
>
> <ksk> would be equal to <sign>keys</sign>
> <zsk> would be equal to <sign>keys</sign><sign>denial</
> sign><sign>data</sign>
I could imagine all sorts of extensions such as: <sign>dynamic</sign>
Extensions... that reminds me that I once tried to extend an XML
schema that I used in a configuration and was happy I had a version
attribute defined so that my parser knew that the schema had changed.
Has versioning of the XML been considered, or is there some standard
way of doing extensions? I must admit I have only practical knowledge
of XML and schemas.
--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/78819a13/attachment.bin>
More information about the Opendnssec-develop
mailing list