[Opendnssec-develop] KSK vs ZSK
John Dickinson
jad at jadickinson.co.uk
Fri Mar 6 09:48:48 UTC 2009
On 6 Mar 2009, at 09:39, John Dickinson wrote:
> We also need to specify how key rollover will occur. Will the key be
> treated according to the KSK or ZSK logic as specified in the draft
> (pre-publish or double key?)? How about this:
>
> <key>
> <label>KEY-1</label>
> <type>KSK</type>
> <sign>DEFAULT</sign>
> </key>
> <key>
> <label>KEY-2</label>
> <type>ZSK</type>
> <sign>DEFAULT</sign>
> </key>
> <key>
> <label>KEY-2</label>
> <type>ZSK</type>
> <sign>DS</sign>
> </key>
>
> If <sign> = DEFAULT then KSKs sign the DNSKEY RRSet and ZSKs sign
> everything including the DNSKEY RRSet.
>
> If <sign> != DEFAULT the the key only signs the specified types of
> RRSet.
>
> If <type> = KSK then <sign> == DEFAULT
Even better lets no re-introduce KSK/ZSK terms and lets get rid of
default how about
<key>
<label>KEY-1</label>
<rolltype>doublekey</rolltype>
<sign>DNSKEY</sign>
</key>
<key>
<label>KEY-2</label>
<rolltype>prepublish</rolltype>
<sign>ALL</sign>
</key>
<key>
<label>KEY-3</label>
<rolltype>prepublish</rolltype>
<sign>DS</sign>
</key>
So in this example, KEY-1 is effectively a KSK in the typical sense,
KEY-2 is a typical ZSK and KEY-3 is one of our special ones.
---
John Dickinson
http://www.jadickinson.co.uk
More information about the Opendnssec-develop
mailing list