[dns-operations] why root-servers only sign DNSKEY(257) RRSIG ?

Paul Hoffman phoffman at proper.com
Mon Nov 27 16:49:23 UTC 2017

On 27 Nov 2017, at 5:43, Tony Finch wrote:

> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>> You mean "why the DNSKEY RRset of the root is signed only with the
>> KSK, not with both KSK and ZSK?"
>> If so, that's an old discussion (and not only for the root but for
>> every signed domain), with (IMHO), inconclusive results.
> In the case of the root, is it true that the ZSK private key material
> isn't present when the KSK signs the DNSKEY RRsets?

Yes, that is true. ZSK HSMs are maintained by Verisign in different 
facilities than the KSK HSMs that ICANN operates.

--Paul Hoffman

More information about the dns-operations mailing list