On Nov 20 2008, Stephane Bortzmeyer wrote:
[...snipped...]
[Warning: still struggling with the subtleties of KSK/ZSK.]
The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?
Sure you do. How could a validator use it if you didn't? Perhaps
you meant: you would keep the private half of the KSK more securely
locked up than the private half of the ZSK?
The usual setup in a signed zone is
DNSKEY RRset at zone apex: one RR for each KSK and for each ZSK
RRSIG RRs for the DNSKEY RRset: one signed with each KSK
and one signed with each ZSK
RRSIG RRs for all other RRsets: one signed with each ZSK
(allowing for multiple KSKs and ZSKs because of rollover).
That is, KSKs are used only to sign the DNSKEY RRset, and those
RRSIGs would typically be generated offline, even if the private
halves of the ZSKs are online.
--
Chris Thompson
Email: [EMAIL PROTECTED]
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
