[dns-operations] What is the most pressing need for DNS these days?
Mark_Andrews at isc.org
Mon Jul 10 22:11:49 UTC 2006
> On Jul 10, 2006, at 11:29 AM, Rick Wesson wrote:
> > How do we as "dns operators" formally call out ICANN to produce the
> > Root
> > Signing Keys
> In most discussions I have heard there are really two keys, the key
> signing key and the zone signing key. Which do you believe ICANN
> should produce?
The KSK. This is the one that is added as a trusted key
into named.conf and other resolver configuration files.
The ZSK should be held by the entity generating the root
zone on a day to day basis. Once the ZSK is created it
should be added to the DNSKEY RRset and the DNSKEY RRset
should then be signed with the KSK and ZSK.
If the ZSK key has a one month active, one month lead and
one month tail. The KSK signature needs a 3 month expiration
and is pulled out monthly.
> > associated rollover documentation.
> I would've thought the IETF would have been the place to produce the
> associated rollover documentation.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations