[dns-operations] Both KSK & ZSK signing DNSKEY records
Phil Pennock
dnsop+phil at spodhuis.org
Mon Mar 18 02:09:18 UTC 2013
Been meaning to check: is there any downside, beyond extra bandwidth
conveying extra signatures, to the DNSKEY records in a zone having been
signed by _both_ the KSKs and the ZSKs?
I noticed on Sandia's display tool:
http://dnsviz.net/d/spodhuis.org/dnssec/
that this is happening, and it's not happening on, eg, psg.com, so my
assumption is that this is an artifact of Bind inline signing.
"dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each
from 43854 (KSK) and 56225 (ZSK).
Did I do something wrong?
It seems harmless, beyond the extra payload in responses pushing up
packet sizes.
Thanks,
-Phil
More information about the dns-operations
mailing list