[Opendnssec-develop] KSK vs ZSK
Jakob Schlyter
jakob at kirei.se
Fri Mar 6 13:25:23 UTC 2009
ok, here's another try after some more real-time jabber discussions
with roy and john:
<!-- KSK, sign only DNSKEY -->
<sign>
<include>DNSKEY</include>
</sign>
<!-- classic ZSK, sign everything -->
<sign/>
<!-- new ZSK, sign everything except DNSKEY -->
<sign>
<exclude>DNSKEY</exclude>
</sign>
rules: the default for sign is the full set, except if you explicitly
include stuff - then you start with an empty set of RRtypes.
jakob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090306/41da2201/attachment.bin>
More information about the Opendnssec-develop
mailing list