[Opendnssec-develop] KSK vs ZSK
Jakob Schlyter
jakob at kirei.se
Fri Mar 6 08:16:15 UTC 2009
after a short dicsussion with Roy, here is a more specific proposal:
for each key we can specify two things - if it should be included in
the signed zone file or not, and what RRset to sign.
- for publication we use <publish/>.
- for signing we use zero or more <sign>XXX</sign>, where XXX is an
RRTYPE or OTHERS.
if RRTYPE is ANY, we sign all RRsets with that key.
if RRTYPE is a specific type(s), we sign only those types.
classic typical KSK: <sign>DNSKEY</sign>
new style typical ZSK: <sign>ANY</sign>
key for delegation only: <sign>DS</sign>
BUT, we might want to be able to sign everything not explicitly
selected, so a classic ZSK would then be:
<sign>ANY</sign>
<sign>DNSKEY</sign>
(since DNSKEY was explicitly selected by the KSK, and we want the ZSK
to sign ANY RRset including DNSKEY).
complex? yes, but understandable.
useful? I believe so.
jakob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/56468c52/attachment.bin>
More information about the Opendnssec-develop
mailing list