[Opendnssec-develop] KSK vs ZSK

Roy Arends roy at nominet.org.uk
Fri Mar 6 08:39:39 UTC 2009


Jakob Schlyter wrote on 03/06/2009 09:16:15 AM:

> after a short dicsussion with Roy, here is a more specific proposal:

To be clear: We did not discuss the publish part (but nolo contendere on 
that)
 
> for each key we can specify two things - if it should be included in 
> the signed zone file or not, and what RRset to sign.
> 
> - for publication we use <publish/>.

We did indeed discuss:

> - for signing we use zero or more <sign>XXX</sign>, where XXX is an 
> RRTYPE or OTHERS.
> 
> if RRTYPE is ANY, we sign all RRsets with that key.
> if RRTYPE is a specific type(s), we sign only those types.
> 
> classic typical KSK:     <sign>DNSKEY</sign>
> new style typical ZSK:   <sign>ANY</sign>
> key for delegation only: <sign>DS</sign>
> 
> BUT, we might want to be able to sign everything not explicitly 
> selected, so a classic ZSK would then be:
> 
>    <sign>ANY</sign>
>    <sign>DNSKEY</sign>
> 
> (since DNSKEY was explicitly selected by the KSK, and we want the ZSK 
> to sign ANY RRset including DNSKEY).

so:

<key>
  <label>KEY-1</label>
  <sign>ANY</sign>
</key>
<key>
  <label>KEY-2</label>
  <sign>DNSKEY</sign>
</key>

leads to that KEY-1 will NOT sign DNSKEYs. (this is exactly what I want)

ofcourse, if you want the vanilla behaviour, you'd need to specify

<key>
  <label>KEY-1</label>
  <sign>ANY</sign>
  <sign>DNSKEY</sign>
</key>
<key>
  <label>KEY-2</label>
  <sign>DNSKEY</sign>
</key>

This way, you can even specify keys for denial by adding a key with 
<sign>NSEC</sign> and <sign>NSEC3</sign>

This is the granularity I was looking for!

Thanks,

Regards,

Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/6b9b5c22/attachment.htm>


More information about the Opendnssec-develop mailing list