[Opendnssec-develop] KSK vs ZSK

Olaf Kolkman olaf at NLnetLabs.nl
Thu Mar 5 20:17:20 UTC 2009


On 5 mrt 2009, at 20:56, Jakob Schlyter wrote:

> On 5 mar 2009, at 14.54, Roy Arends wrote:
>
>> DNSSEC signing, three bits:
>>
>> sign keyset: 001
>> sign data:   010
>> sign NSEC/3: 100
>>
>> So, a key with range 7 would sign everything (similarly like a  
>> ZSK), and a key with range 1 would be a KSK.
>
> we need no bits, this is just in the instructions for the signer -  
> we could do something like:
>
> <key>
> 	...
> 	<sign>keys</sign>
> 	<sign>denial</sign>
> 	<sign>data</sign>
> 	<publish/>
> </key>
>
> <ksk> would be equal to <sign>keys</sign>
> <zsk> would be equal to <sign>keys</sign><sign>denial</ 
> sign><sign>data</sign>

I could imagine all sorts of extensions such as: <sign>dynamic</sign>

Extensions... that reminds me that I once tried to extend an XML  
schema that I used in a configuration and was happy I had a version  
attribute defined so that my parser knew that the schema had changed.

Has versioning of the XML been considered, or is there some standard  
way of doing extensions? I must admit I have only practical knowledge  
of XML and schemas.


--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090305/78819a13/attachment.bin>


More information about the Opendnssec-develop mailing list