[dns-operations] Both KSK & ZSK signing DNSKEY records
dnsop+phil at spodhuis.org
Mon Mar 18 22:41:10 UTC 2013
On 2013-03-18 at 03:29 +0000, Evan Hunt wrote:
> On Sun, Mar 17, 2013 at 10:09:18PM -0400, Phil Pennock wrote:
> > "dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each
> > from 43854 (KSK) and 56225 (ZSK).
> > Did I do something wrong?
> No, this is the default behavior. If you're using automatic signing,
> you can override this by adding "dnssec-dnskey-kskonly yes;" to your
> options statement. If you're using dnssec-signzone, you can override
> it by using the -x flag.
Thanks. I see the documentation for that now, in chapter 6 of the ARM;
it's not mentioned in the DNSSEC chapter.
So before I possibly change something from the defaults, could you
please explain _why_ it's the default? I freely admit to not knowing as
much as I should about DNSSEC and ISC normally choose the defaults with
care, but I'm confused about what issue is being addressed by having
double-signing turned on and would appreciate education.
(Rationale for decisions around packet-size affecting options seems
on-topic for dns-operations)
More information about the dns-operations