[dns-operations] why root-servers only sign DNSKEY(257) RRSIG ?
Paul Hoffman
phoffman at proper.com
Mon Nov 27 16:49:23 UTC 2017
On 27 Nov 2017, at 5:43, Tony Finch wrote:
> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>>
>> You mean "why the DNSKEY RRset of the root is signed only with the
>> KSK, not with both KSK and ZSK?"
>>
>> If so, that's an old discussion (and not only for the root but for
>> every signed domain), with (IMHO), inconclusive results.
>
> In the case of the root, is it true that the ZSK private key material
> isn't present when the KSK signs the DNSKEY RRsets?
Yes, that is true. ZSK HSMs are maintained by Verisign in different
facilities than the KSK HSMs that ICANN operates.
--Paul Hoffman
More information about the dns-operations
mailing list