[dnssec-deployment] Signatures on the DNSKEY

Frederico A C Neves fneves at registro.br
Wed Nov 11 03:43:34 EST 2009

Just a quick feedback,

We've updated our signer software and .br keyset have being signed
only by the KSK since last week.

Smooth transition during a single IXFR and no breakage reports,


On Wed, Sep 30, 2009 at 11:41:02AM -0400, Edward Lewis wrote:
> Should a DNSKEY set with a mixture of SEP and non-SEP keys (flags 257 
> and 256) be (actively) signed by any of its non-SEP key(s)?
> (SEP is colloquially called a KSK, non-SEP is ZSK.)
> The IETF document is unclear on this, although I do recall past 
> discussions on what keys were needed to sign the DNSKEY set at the 
> apex, as opposed to any other set of data in the zone.
> In my opinion, the signature of a non-SEP key over an apex DNSKEY set 
> is superfluous[0].  One source suggested that it was needed when 
> transitioning from a DNSKEY set without an SEP to one with.  Although 
> I'd question if it would be needed in even that situation, I think 
> that once an SEP key appears in the DNSKEY set, there's no need to 
> refresh any non-SEP key generated signature.  (Allowing the older 
> non-SEP signatures to remain until they expire.)
> The reason I want to drop non-SEP signatures is to save space in 
> DNSKEY responses.  The marginal bytes saved in some cases do matter 
> in the UDP or TCP choice.
> [0]
> 1 a : exceeding what is sufficient or necessary : extra
> 1 b : not needed : unnecessary
> 2 obsolete : marked by wastefulness : extravagant
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis             
> NeuStar                    You can leave a voice message at +1-571-434-5468
> As with IPv6, the problem with the deployment of frictionless surfaces is
> that they're not getting traction.

More information about the Dnssec-deployment mailing list