[dns-operations] DNSKEY signatures

George Barwood george.barwood at blueyonder.co.uk
Tue Apr 20 17:39:58 UTC 2010

> Oh, I think I may have misunderstood you.  Of course an administrative
> tool could refuse to sign a zone with a key that didn't have the SEP
> bit set.  IMO this would be a mistake, because I don't really believe
> that every zone ought to _have_ different KSKs and ZSKs.
>> (a) Only keys with the SEP bit set may be used.
> The problem here is that many people seem to have developed the
> unfortunate belief that SEP == KSK and nothing else.  I don't want to
> reinforce that.

I think bringing the SEP flag into it may have been a mistake on my part.

Maybe what I'm really trying to say is that a signing tool should be able to 
be given sufficient information, so that it can know which signatures are
wanted by the zone administrator.

Now there are many possible ways to sign a zone, but an obvious, simple way sign 
is to have 2 keys, a KSK and a ZSK, to sign the DNSKEY RRset with the KSK (only),
and to sign the other RRsets with the ZSK (only).

It seems that current signing tools don't allow this simple intent to be communicated.

I intend to make this the default (fully automatic) behavior in my signing implementation,
and possibly offer some options for some other alternatives ( such as just having a single
key that signs everything ).

My worry was that this might be invalid, but I don't think it is. Rather existing implementations
don't seem to offer this straightforward option.


More information about the dns-operations mailing list