[dns-operations] Both KSK & ZSK signing DNSKEY records

Phil Pennock dnsop+phil at spodhuis.org
Mon Mar 18 22:41:10 UTC 2013

On 2013-03-18 at 03:29 +0000, Evan Hunt wrote:
> On Sun, Mar 17, 2013 at 10:09:18PM -0400, Phil Pennock wrote:
> > "dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each
> > from 43854 (KSK) and 56225 (ZSK).
> > 
> > Did I do something wrong?
> No, this is the default behavior.  If you're using automatic signing,
> you can override this by adding "dnssec-dnskey-kskonly yes;" to your
> options statement.  If you're using dnssec-signzone, you can override
> it by using the -x flag.

Thanks.  I see the documentation for that now, in chapter 6 of the ARM;
it's not mentioned in the DNSSEC chapter.

So before I possibly change something from the defaults, could you
please explain _why_ it's the default?  I freely admit to not knowing as
much as I should about DNSSEC and ISC normally choose the defaults with
care, but I'm confused about what issue is being addressed by having
double-signing turned on and would appreciate education.

(Rationale for decisions around packet-size affecting options seems
on-topic for dns-operations)


More information about the dns-operations mailing list