[Opendnssec-develop] KSK vs ZSK

Jakob Schlyter jakob at kirei.se
Fri Mar 6 13:25:23 UTC 2009

ok, here's another try after some more real-time jabber discussions  
with roy and john:

<!-- KSK, sign only DNSKEY -->

<!-- classic ZSK, sign everything -->

<!-- new ZSK, sign everything except DNSKEY -->

rules: the default for sign is the full set, except if you explicitly  
include stuff - then you start with an empty set of RRtypes.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/41da2201/attachment.bin>

More information about the Opendnssec-develop mailing list