[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
There are multiple conflicting definitions of what a KSK is.
With the DS record [5] the concept of key-signing and zone-signing
keys has been introduced. Key-signing keys are the keys that sign
the keyset only. In general, key-signing keys are the keys that are
pointed to by DS records and are the first keys to be used when
following a chain of trust into the zone. The key-signing keys only
sign the KEY RRset at the apex of a zone, zone- signing keys sign all
other data in a zone. We propose a flag to distinguish the key-
signing key from other keys in the KEY RR set during DNSSEC
operations.
By setting the KSK flag on a particular key, zone administrators
indicate that that key SHOULD be used as the secure entry point for
their zone. Therefore zone administrators SHOULD set the bit only
for zone keys that are used to sign the KEY RRset and are intended to
act as the first link in the chain of trust for their zone.
The last sentence should be changed to:
Therefore zone administrators SHOULD set the bit only
for zone keys that are used to sign the KEY RRset only and are intended to
act as the first link in the chain of trust for their zone.
to bring the definitions into alignment.
There should be a note that if KSK is set on a key that there
MUST be other keys without KSK set to sign the rest of the zone's
contents as KSK's are restricted to only signing the KEY RRset.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>