[Opendnssec-user] DNSKEY RRset signing with ZSK

Rick van Rein rick at openfortress.nl
Wed Sep 12 22:29:50 UTC 2012


Hi Paul,

> I'm looking at telling opendnssec to sign the DNSKEY RRset with both the
> ZSK and KSK.

Interesting -- what would be the use of such a configuration?

It would introduce more signatures, and so more things to check (overhead,
delays) to the DNSKEY RRset, without introducing additional validation
paths because the KSK is the mechanism to validate DNSKEY RRsets.

Moreover, it could trigger concealed bugs -- for instance, a ZSK following
a different algorithm than the KSK could influence the set of algorithms
that is required by a validating resolver (presumably due to bugs) as a
result of doing something so unconventional.

I'm curious about your usage pattern that would make this a necessity?


Cheers,
 -Rick



More information about the Opendnssec-user mailing list