[dns-operations] negative dnssec replies

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Nov 28 20:56:23 UTC 2016

> On Nov 28, 2016, at 3:23 PM, Router Log <logrouterlog at gmail.com> wrote:
> I still think there must be a more elegant method out there that doesn't involve keeping the private key on the shop floor.

The key in question is just the ZSK.  Keeping those on-line is
no more risky than keeping web server private keys on-line.  In
fact often safer, since the KSK signature over the ZSK often has
a shorter lifetime.  Even the KSK effective lifetime (signature
lifetime of DS RRset in parent zone) is comparatively short.  I
would suggest that the reluctance to have DNS signing keys online
is a meme that has outlived its usefulness.  By all means, if 
off-line works for you, do it, but there is not a compelling reason
to do that.


More information about the dns-operations mailing list