[Opendnssec-develop] KSK vs ZSK
Rick van Rein
rick at openfortress.nl
Fri Mar 6 08:52:55 UTC 2009
Hi,
> <key>
> <label>KEY-1</label>
> <sign>ANY</sign>
> </key>
> <key>
> <label>KEY-2</label>
> <sign>DNSKEY</sign>
> </key>
So, <sign>ANY</sign> means "sign anything by DNSKEY"? That sounds like
a recipe for confusion. A more orthogonal alternative, with less
opportunities for confusion, could be:
<key>
<label>KEY-1</label>
<sign>ANY</sign>
<not-sign>DNSKEY</not-sign>
</key>
<key>
<label>KEY-2</label>
<sign>DNSKEY</sign>
</key>
or even
<key>
<label>KEY-1</label>
<sign>ANY<except>DNSKEY</except></sign>
</key>
<key>
<label>KEY-2</label>
<sign>DNSKEY</sign>
</key>
Cheers,
-Rick
More information about the Opendnssec-develop
mailing list