On Fri, 19 Apr 2013, Joe Abley wrote:
Besides the other two comments: DS records are signed with the ZSK, and
the CDS document explains why it needs to be signed with the KSK instead
(also).
I'm not sure I fully understand the logic of that, actually.
Surely the important thing is that the apex CDS RRSet in the child zone can be
verified to be authentic.
and that it is signed by the KSK holder - not the ZSK holder. If the
parent would update its DS based on the child's ZSK's signature, then
the ZSK is used as KSK and the ZSK holder can bypass the KSK, and thus
seperation of duties and/or different HSM/storage/security is bypassed.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
