[Opendnssec-develop] KSK vs ZSK
roy at nominet.org.uk
Fri Mar 6 08:39:39 UTC 2009
Jakob Schlyter wrote on 03/06/2009 09:16:15 AM:
> after a short dicsussion with Roy, here is a more specific proposal:
To be clear: We did not discuss the publish part (but nolo contendere on
> for each key we can specify two things - if it should be included in
> the signed zone file or not, and what RRset to sign.
> - for publication we use <publish/>.
We did indeed discuss:
> - for signing we use zero or more <sign>XXX</sign>, where XXX is an
> RRTYPE or OTHERS.
> if RRTYPE is ANY, we sign all RRsets with that key.
> if RRTYPE is a specific type(s), we sign only those types.
> classic typical KSK: <sign>DNSKEY</sign>
> new style typical ZSK: <sign>ANY</sign>
> key for delegation only: <sign>DS</sign>
> BUT, we might want to be able to sign everything not explicitly
> selected, so a classic ZSK would then be:
> (since DNSKEY was explicitly selected by the KSK, and we want the ZSK
> to sign ANY RRset including DNSKEY).
leads to that KEY-1 will NOT sign DNSKEYs. (this is exactly what I want)
ofcourse, if you want the vanilla behaviour, you'd need to specify
This way, you can even specify keys for denial by adding a key with
<sign>NSEC</sign> and <sign>NSEC3</sign>
This is the granularity I was looking for!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop