[dns-operations] Problems with .gov

Edward Lewis Ed.Lewis at neustar.biz
Mon Jan 31 16:17:37 UTC 2011

At 16:40 +0100 1/31/11, Stephane Bortzmeyer wrote:

>Other thing that puzzles me, the DNSKEY set is now signed only with
>the KSK, not by any ZSK.
>Advice from DNSSEC experts? Problem or not?

That's the way the protocol was intended to work.  That's why they 
were named "KEY signing keys" ;) as opposed to "ZONE signing keys."

KEK and ZSK are "jargon" terms or "colloquial" expressions generated 
in the workshops from 1999 to 2004 or so.  The only distinction in 
the protocol is "SEP" in that there is an SEP bit in the flags.  The 
SEP bit is not used in validation, just in some key management 

Personally, I consider it a bug to see a ZSK's signature over a key 
set - but not a critical/significant bug.
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

With a week old newborn at home, I've discovered that the only 
difference between him and me is that I have to go to work daily. 
That's not fair!  Ma!

More information about the dns-operations mailing list