[Opendnssec-develop] KSK vs ZSK

John Dickinson jad at jadickinson.co.uk
Fri Mar 6 09:39:38 UTC 2009 

On 6 Mar 2009, at 08:39, Roy Arends wrote:

> Jakob Schlyter wrote on 03/06/2009 09:16:15 AM:
>
> > after a short dicsussion with Roy, here is a more specific proposal:
>
> To be clear: We did not discuss the publish part (but nolo  
> contendere on that)
>
> > for each key we can specify two things - if it should be included in
> > the signed zone file or not, and what RRset to sign.
> >
> > - for publication we use <publish/>.
>
> We did indeed discuss:
>
> > - for signing we use zero or more <sign>XXX</sign>, where XXX is an
> > RRTYPE or OTHERS.
> >
> > if RRTYPE is ANY, we sign all RRsets with that key.
> > if RRTYPE is a specific type(s), we sign only those types.
> >
> > classic typical KSK:     <sign>DNSKEY</sign>
> > new style typical ZSK:   <sign>ANY</sign>
> > key for delegation only: <sign>DS</sign>
> >
> > BUT, we might want to be able to sign everything not explicitly
> > selected, so a classic ZSK would then be:
> >
> >    <sign>ANY</sign>
> >    <sign>DNSKEY</sign>
> >
> > (since DNSKEY was explicitly selected by the KSK, and we want the  
> ZSK
> > to sign ANY RRset including DNSKEY).
>
> so:
>
> <key>
>   <label>KEY-1</label>
>   <sign>ANY</sign>
> </key>
> <key>
>   <label>KEY-2</label>
>   <sign>DNSKEY</sign>
> </key>
>
> leads to that KEY-1 will NOT sign DNSKEYs. (this is exactly what I  
> want)
>
> ofcourse, if you want the vanilla behaviour, you'd need to specify
>
> <key>
>   <label>KEY-1</label>
>   <sign>ANY</sign>
>   <sign>DNSKEY</sign>
> </key>
> <key>
>   <label>KEY-2</label>
>   <sign>DNSKEY</sign>
> </key>
>
We also need to specify how key rollover will occur. Will the key be  
treated according to the KSK or ZSK logic as specified in the draft  
(pre-publish or double key?)? How about this:

<key>
   <label>KEY-1</label>
   <type>KSK</type>
   <sign>DEFAULT</sign>
</key>
<key>
   <label>KEY-2</label>
   <type>ZSK</type>
   <sign>DEFAULT</sign>
</key>
<key>
   <label>KEY-2</label>
   <type>ZSK</type>
   <sign>DS</sign>
</key>

If <sign> = DEFAULT then KSKs sign the DNSKEY RRSet and ZSKs sign  
everything including the DNSKEY RRSet.

If <sign> != DEFAULT the the key only signs the specified types of  
RRSet.

If <type> = KSK then <sign> == DEFAULT

John
---
John Dickinson
http://www.jadickinson.co.uk

More information about the Opendnssec-develop mailing list