[dns-operations] why root-servers only sign DNSKEY(257) RRSIG ?
wbrown at e1b.org
wbrown at e1b.org
Mon Nov 27 17:56:29 UTC 2017
> From: "Paul Hoffman" <phoffman at proper.com>
> > In the case of the root, is it true that the ZSK private key material
> > isn't present when the KSK signs the DNSKEY RRsets?
>
> Yes, that is true. ZSK HSMs are maintained by Verisign in different
> facilities than the KSK HSMs that ICANN operates.
Isn't this actually best practice for non-root operators as well, keeping
the KSK separated from the KSK operates?
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations
mailing list