[Opendnssec-develop] KSK vs ZSK

Jakob Schlyter jakob at kirei.se
Fri Mar 6 08:16:15 UTC 2009

after a short dicsussion with Roy, here is a more specific proposal:

for each key we can specify two things - if it should be included in  
the signed zone file or not, and what RRset to sign.

- for publication we use <publish/>.

- for signing we use zero or more <sign>XXX</sign>, where XXX is an  

if RRTYPE is ANY, we sign all RRsets with that key.
if RRTYPE is a specific type(s), we sign only those types.

classic typical KSK:     <sign>DNSKEY</sign>
new style typical ZSK:   <sign>ANY</sign>
key for delegation only: <sign>DS</sign>

BUT, we might want to be able to sign everything not explicitly  
selected, so a classic ZSK would then be:


(since DNSKEY was explicitly selected by the KSK, and we want the ZSK  
to sign ANY RRset including DNSKEY).

complex? yes, but understandable.
useful? I believe so.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/56468c52/attachment.bin>

More information about the Opendnssec-develop mailing list