[dns-operations] why root-servers only sign DNSKEY(257) RRSIG ?
phoffman at proper.com
Mon Nov 27 16:49:23 UTC 2017
On 27 Nov 2017, at 5:43, Tony Finch wrote:
> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>> You mean "why the DNSKEY RRset of the root is signed only with the
>> KSK, not with both KSK and ZSK?"
>> If so, that's an old discussion (and not only for the root but for
>> every signed domain), with (IMHO), inconclusive results.
> In the case of the root, is it true that the ZSK private key material
> isn't present when the KSK signs the DNSKEY RRsets?
Yes, that is true. ZSK HSMs are maintained by Verisign in different
facilities than the KSK HSMs that ICANN operates.
More information about the dns-operations