On Apr 18, 2011, at 3:01 PM, George Barwood wrote: > I have a few comments. > > (1) It's my belief that almost all Zones except for the root zone should NOT > use a KSK/ZSK split.
A compelling reason to use the KSK/ZSK split is that you want to use different security practices for the SEP key (which is harder to roll) vs. the zone signing keys. A common example of this is to keep the KSK "offline", which may be impractical for a ZSK. > > (2) There is no point in using a larger key size than the smallest key size > in the parent chain > ( again assuming no manual trust anchors ). i.e. if the parent DS record is > signed with a 1024 bit key, > there is no point in using keys larger than 1024 bits. Again, current > practice appears to be the opposite. > I don't think this is mentioned, even if it is obvious. I don't think I agree with this logic. It is true that the security of the whole chain is only as strong as the weakest link, but there is value in having your more difficult-to-roll KSK not be the weakest link. -- David Blacka <[email protected]> Principal Engineer Verisign Infrastructure Engineering _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
