[dns-operations] What is the most pressing need for DNS these days?

Mark Andrews Mark_Andrews at isc.org
Mon Jul 10 22:11:49 UTC 2006

> Rick,
> On Jul 10, 2006, at 11:29 AM, Rick Wesson wrote:
> > How do we as "dns operators" formally call out ICANN to produce the  
> > Root
> > Signing Keys
> In most discussions I have heard there are really two keys, the key  
> signing key and the zone signing key.  Which do you believe ICANN  
> should produce?
	The KSK.  This is the one that is added as a trusted key
	into named.conf and other resolver configuration files.

	The ZSK should be held by the entity generating the root
	zone on a day to day basis.  Once the ZSK is created it
	should be added to the DNSKEY RRset and the DNSKEY RRset
	should then be signed with the KSK and ZSK.

	If the ZSK key has a one month active, one month lead and
	one month tail.  The KSK signature needs a 3 month expiration
	and is pulled out monthly.

> > associated rollover documentation.
> I would've thought the IETF would have been the place to produce the  
> associated rollover documentation.
> Rgds,
> -drc
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list