[dnssec-deployment] Signed Root @ IANA

Mark Andrews Mark_Andrews at isc.org
Wed Aug 1 19:13:33 EDT 2007


> On Thu, Aug 02, 2007 at 05:46:03AM +1000, Mark Andrews wrote:
> > 
> > 	Another differentiator is key size.  Zone keys are likely to be
> > 	smaller.
> 
> 		why do you think this is the case?

	The zone keys are generally rolled more frequently than the
	key signing keys so are exposed for a shorter period to
	crypto analysis so they don't need to as strong.

> > 	The only real way to find out which keys should have DS records is
> > 	to ask the child zone if there are multiple keys.  Everything else
> > 	is a huristic including KSK flags.
> 
> 		the child should give the parent the requisite data.
> 		agreed.
> 
> > 	Mark
> 
> --BILL
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the Dnssec-deployment mailing list