[dns-operations] why root-servers only sign DNSKEY(257) RRSIG ?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Nov 27 13:00:28 UTC 2017

On Mon, Nov 27, 2017 at 05:15:08PM +0800,
 Champion Xie <xiejieling at gmail.com> wrote 
 a message of 134 lines which said:

> . 172800 IN *RRSIG DNSKEY* 8 0 172800 (
> 20171211000000 20171120000000 *19036* .

You mean "why the DNSKEY RRset of the root is signed only with the
KSK, not with both KSK and ZSK?"

If so, that's an old discussion (and not only for the root but for
every signed domain), with (IMHO), inconclusive results.

More information about the dns-operations mailing list