[dns-operations] DS-side NSEC query

Mark Andrews marka at isc.org
Sat Jul 30 22:40:22 UTC 2016

In message <alpine.LRH.2.20.1607301821140.13622 at bofh.nohats.ca>, Paul Wouters w
> On Sat, 30 Jul 2016, Mark Andrews wrote:
> > KEY is also another type which exists authoritatively both sides
> > of a delegation as does NXT which NSEC replaced and bothe RRSIG and
> > SIG.  NXT and SIG should be virtually non-existent but KEY still
> > still exists.
> freeswan stopped using KEY a decade ago when the DNS people said
> these records were for DNSSEC only and not for a PKI. Whoever still
> uses KEY for anything would be wrong. I thought the introduction
> of DNSKEY/RRSIG/NSEC killed the KEY/SIG/NXT records.

KEY has *never* been DNSSEC only.  DNSKEY is DNSSEC only.  KEY is
still used for SIG(0).  DNSKEY/RRSIG/NSEC took over zone signing.
Every other use of KEY/SIG/NXT however remained.

> Paul
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list