[Opendnssec-develop] KSK vs ZSK

Rick van Rein rick at openfortress.nl
Fri Mar 6 08:52:55 UTC 2009


Hi,

> <key>
>   <label>KEY-1</label>
>   <sign>ANY</sign>
> </key>
> <key>
>   <label>KEY-2</label>
>   <sign>DNSKEY</sign>
> </key>

So, <sign>ANY</sign> means "sign anything by DNSKEY"?  That sounds like
a recipe for confusion.  A more orthogonal alternative, with less
opportunities for confusion, could be:

<key>
  <label>KEY-1</label>
  <sign>ANY</sign>
  <not-sign>DNSKEY</not-sign>
</key>
<key>
  <label>KEY-2</label>
  <sign>DNSKEY</sign>
</key>

or even

<key>
  <label>KEY-1</label>
  <sign>ANY<except>DNSKEY</except></sign>
</key>
<key>
  <label>KEY-2</label>
  <sign>DNSKEY</sign>
</key>


Cheers,
 -Rick



More information about the Opendnssec-develop mailing list