[Opendnssec-develop] KSK vs ZSK
Matthijs Mekking
matthijs at NLnetLabs.nl
Fri Mar 6 09:07:53 UTC 2009
so a typical ZSK would become
<key>
<label>KEY-1</label>
<sign>ANY</sign>
<sign>DNSKEY</sign>
<sign>NSEC3</sign>
...
</key>
?
In that case, I would prefer an additional sign value: ALL.
Matthijs
Roy Arends wrote:
> Rick van Rein wrote on 03/06/2009 09:52:55 AM:
>
>> Hi,
>>
>> > <key>
>> > <label>KEY-1</label>
>> > <sign>ANY</sign>
>> > </key>
>> > <key>
>> > <label>KEY-2</label>
>> > <sign>DNSKEY</sign>
>> > </key>
>>
>> So, <sign>ANY</sign> means "sign anything by DNSKEY"? That sounds like
>> a recipe for confusion. A more orthogonal alternative, with less
>> opportunities for confusion, could be:
>>
>> <key>
>> <label>KEY-1</label>
>> <sign>ANY</sign>
>> <not-sign>DNSKEY</not-sign>
>> </key>
>> <key>
>> <label>KEY-2</label>
>> <sign>DNSKEY</sign>
>> </key>
>>
>> or even
>>
>> <key>
>> <label>KEY-1</label>
>> <sign>ANY<except>DNSKEY</except></sign>
>> </key>
>> <key>
>> <label>KEY-2</label>
>> <sign>DNSKEY</sign>
>> </key>
>
> Rick, that does not look less complex to me.
>
> The rule in our scheme is basically that you explicitly assign keys to
> types they need to sign. Anything not explicity assigned falls in the
> category 'ANY'.
>
> kind of like the 'default:' part of the switch/case statement.
>
> Regards,
>
> Roy Arends
> Sr. Researcher
> Nominet UK
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/fe8ef154/attachment.bin>
More information about the Opendnssec-develop
mailing list