[Opendnssec-develop] KSK vs ZSK
Roy Arends
roy at nominet.org.uk
Fri Mar 6 08:39:39 UTC 2009
Jakob Schlyter wrote on 03/06/2009 09:16:15 AM:
> after a short dicsussion with Roy, here is a more specific proposal:
To be clear: We did not discuss the publish part (but nolo contendere on
that)
> for each key we can specify two things - if it should be included in
> the signed zone file or not, and what RRset to sign.
>
> - for publication we use <publish/>.
We did indeed discuss:
> - for signing we use zero or more <sign>XXX</sign>, where XXX is an
> RRTYPE or OTHERS.
>
> if RRTYPE is ANY, we sign all RRsets with that key.
> if RRTYPE is a specific type(s), we sign only those types.
>
> classic typical KSK: <sign>DNSKEY</sign>
> new style typical ZSK: <sign>ANY</sign>
> key for delegation only: <sign>DS</sign>
>
> BUT, we might want to be able to sign everything not explicitly
> selected, so a classic ZSK would then be:
>
> <sign>ANY</sign>
> <sign>DNSKEY</sign>
>
> (since DNSKEY was explicitly selected by the KSK, and we want the ZSK
> to sign ANY RRset including DNSKEY).
so:
<key>
<label>KEY-1</label>
<sign>ANY</sign>
</key>
<key>
<label>KEY-2</label>
<sign>DNSKEY</sign>
</key>
leads to that KEY-1 will NOT sign DNSKEYs. (this is exactly what I want)
ofcourse, if you want the vanilla behaviour, you'd need to specify
<key>
<label>KEY-1</label>
<sign>ANY</sign>
<sign>DNSKEY</sign>
</key>
<key>
<label>KEY-2</label>
<sign>DNSKEY</sign>
</key>
This way, you can even specify keys for denial by adding a key with
<sign>NSEC</sign> and <sign>NSEC3</sign>
This is the granularity I was looking for!
Thanks,
Regards,
Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/6b9b5c22/attachment.htm>
More information about the Opendnssec-develop
mailing list