[dnssec-deployment] Signed Root @ IANA
Mark_Andrews at isc.org
Wed Aug 1 19:13:33 EDT 2007
> On Thu, Aug 02, 2007 at 05:46:03AM +1000, Mark Andrews wrote:
> > Another differentiator is key size. Zone keys are likely to be
> > smaller.
> why do you think this is the case?
The zone keys are generally rolled more frequently than the
key signing keys so are exposed for a shorter period to
crypto analysis so they don't need to as strong.
> > The only real way to find out which keys should have DS records is
> > to ask the child zone if there are multiple keys. Everything else
> > is a huristic including KSK flags.
> the child should give the parent the requisite data.
> > Mark
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment