[dns-operations] Problems with .gov
Edward Lewis
Ed.Lewis at neustar.biz
Mon Jan 31 16:17:37 UTC 2011
At 16:40 +0100 1/31/11, Stephane Bortzmeyer wrote:
>Other thing that puzzles me, the DNSKEY set is now signed only with
>the KSK, not by any ZSK.
>
>Advice from DNSSEC experts? Problem or not?
That's the way the protocol was intended to work. That's why they
were named "KEY signing keys" ;) as opposed to "ZONE signing keys."
KEK and ZSK are "jargon" terms or "colloquial" expressions generated
in the workshops from 1999 to 2004 or so. The only distinction in
the protocol is "SEP" in that there is an SEP bit in the flags. The
SEP bit is not used in validation, just in some key management
situations.
Personally, I consider it a bug to see a ZSK's signature over a key
set - but not a critical/significant bug.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
With a week old newborn at home, I've discovered that the only
difference between him and me is that I have to go to work daily.
That's not fair! Ma!
More information about the dns-operations
mailing list