[Opendnssec-develop] KSK vs ZSK
Roy Arends
roy at nominet.org.uk
Fri Mar 6 09:03:29 UTC 2009
Rick van Rein wrote on 03/06/2009 09:52:55 AM:
> Hi,
>
> > <key>
> > <label>KEY-1</label>
> > <sign>ANY</sign>
> > </key>
> > <key>
> > <label>KEY-2</label>
> > <sign>DNSKEY</sign>
> > </key>
>
> So, <sign>ANY</sign> means "sign anything by DNSKEY"? That sounds like
> a recipe for confusion. A more orthogonal alternative, with less
> opportunities for confusion, could be:
>
> <key>
> <label>KEY-1</label>
> <sign>ANY</sign>
> <not-sign>DNSKEY</not-sign>
> </key>
> <key>
> <label>KEY-2</label>
> <sign>DNSKEY</sign>
> </key>
>
> or even
>
> <key>
> <label>KEY-1</label>
> <sign>ANY<except>DNSKEY</except></sign>
> </key>
> <key>
> <label>KEY-2</label>
> <sign>DNSKEY</sign>
> </key>
Rick, that does not look less complex to me.
The rule in our scheme is basically that you explicitly assign keys to
types they need to sign. Anything not explicity assigned falls in the
category 'ANY'.
kind of like the 'default:' part of the switch/case statement.
Regards,
Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/e901cb8f/attachment.htm>
More information about the Opendnssec-develop
mailing list