[dns-operations] DNSKEY signatures

George Barwood george.barwood at blueyonder.co.uk
Mon Apr 19 16:06:39 UTC 2010

It seems to me that DNSKEY RRsets should only  be signed with the keys that
are designated as secure entry points, that is keys with bit 15 set : DNSKEY Flags field = 257.

However the examples I have seen (including RFC 4035) all seem to sign the DNSKEY RRset with
the zone signing key(s) as well.

The standard ( http://tools.ietf.org/html/rfc4035#section-2.2 ) says

  There MUST be an RRSIG for each RRset using at least one DNSKEY of
  each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
  itself MUST be signed by each algorithm appearing in the DS RRset
  located at the delegating parent (if any).

But this doesn't seem to explain the observed practice.

Any explanation? Am I missing something?

More information about the dns-operations mailing list