[dnssec-deployment] Signatures on the DNSKEY
Frederico A C Neves
fneves at registro.br
Wed Nov 11 03:43:34 EST 2009
Just a quick feedback,
We've updated our signer software and .br keyset have being signed
only by the KSK since last week.
Smooth transition during a single IXFR and no breakage reports,
On Wed, Sep 30, 2009 at 11:41:02AM -0400, Edward Lewis wrote:
> Should a DNSKEY set with a mixture of SEP and non-SEP keys (flags 257
> and 256) be (actively) signed by any of its non-SEP key(s)?
> (SEP is colloquially called a KSK, non-SEP is ZSK.)
> The IETF document is unclear on this, although I do recall past
> discussions on what keys were needed to sign the DNSKEY set at the
> apex, as opposed to any other set of data in the zone.
> In my opinion, the signature of a non-SEP key over an apex DNSKEY set
> is superfluous. One source suggested that it was needed when
> transitioning from a DNSKEY set without an SEP to one with. Although
> I'd question if it would be needed in even that situation, I think
> that once an SEP key appears in the DNSKEY set, there's no need to
> refresh any non-SEP key generated signature. (Allowing the older
> non-SEP signatures to remain until they expire.)
> The reason I want to drop non-SEP signatures is to save space in
> DNSKEY responses. The marginal bytes saved in some cases do matter
> in the UDP or TCP choice.
> 1 a : exceeding what is sufficient or necessary : extra
> 1 b : not needed : unnecessary
> 2 obsolete : marked by wastefulness : extravagant
> Edward Lewis
> NeuStar You can leave a voice message at +1-571-434-5468
> As with IPv6, the problem with the deployment of frictionless surfaces is
> that they're not getting traction.
More information about the Dnssec-deployment