At 9:51 -0700 6/23/11, Fredrik Ljunggren wrote:
A KSK is a DNSKEY with the SEP bit set. And for validation to work with a
single key, that key has to have the SEP bit set. So I would suggest
roll-overs in a single-key zone to be described under KSK roll-over.
SEP != KSK.
In the protocol, there is no distinction between KSK and ZSK. The
SEP bit signals the intent of the zone administrator to distribute
this key to other parties to develop a chain of trust.
What is known as a KSK is a key that signs only other keys in the
DNSKEY set and is (in the vast majority of cases) intended to be
distributed to another party, for example, in a DS record to the
parent zone.
A zone may use one key to sign everything (Common Signing Key is a
designation I like) and have it be marked with the SEP bit.
The SEP bit is not a factor in validation. It's a factor in key
management tools.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
I'm overly entertained.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
