[Opendnssec-develop] KSK vs ZSK
olaf at NLnetLabs.nl
Thu Mar 5 20:17:20 UTC 2009
On 5 mrt 2009, at 20:56, Jakob Schlyter wrote:
> On 5 mar 2009, at 14.54, Roy Arends wrote:
>> DNSSEC signing, three bits:
>> sign keyset: 001
>> sign data: 010
>> sign NSEC/3: 100
>> So, a key with range 7 would sign everything (similarly like a
>> ZSK), and a key with range 1 would be a KSK.
> we need no bits, this is just in the instructions for the signer -
> we could do something like:
> <ksk> would be equal to <sign>keys</sign>
> <zsk> would be equal to <sign>keys</sign><sign>denial</
I could imagine all sorts of extensions such as: <sign>dynamic</sign>
Extensions... that reminds me that I once tried to extend an XML
schema that I used in a configuration and was happy I had a version
attribute defined so that my parser knew that the schema had changed.
Has versioning of the XML been considered, or is there some standard
way of doing extensions? I must admit I have only practical knowledge
of XML and schemas.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 235 bytes
Desc: This is a digitally signed message part
More information about the Opendnssec-develop