[dns-operations] why root-servers only sign DNSKEY(257) RRSIG ?

Tony Finch dot at dotat.at
Mon Nov 27 13:43:46 UTC 2017

Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> You mean "why the DNSKEY RRset of the root is signed only with the
> KSK, not with both KSK and ZSK?"
> If so, that's an old discussion (and not only for the root but for
> every signed domain), with (IMHO), inconclusive results.

In the case of the root, is it true that the ZSK private key material
isn't present when the KSK signs the DNSKEY RRsets?

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Trafalgar: Easterly 5 to 7. Moderate or rough. Fair. Good.

More information about the dns-operations mailing list