On Apr 22 2013, Edward Lewis wrote:
We really do need to drop the KSK and ZSK terminology because there are Common Signing Keys coming "back" in vogue. The factor is whether a key is a SEP or not. Recall that in the validation and signing engines, the SEP bit is not significant, it is there for the convenience of key management tools.
I was extremely pleased to see that draft-kumari-ogud-dnsop-cds-01 dropped all mention of KSK and ZSK (well, almost - there is a reference to KSK in the introduction). It may be that there is still too much talk about the SEP bit. The essence of the previous requirement that CDS RRsets were to be signed with a KSK is much better captured by the current text: The CDS record MUST be at the zone apex, and MUST be signed with a key that is represented in the current DNSKEY and DS RRset's. If these conditions are not met the CDS record MUST be ignored. That is, the chain of trust used by the parent to validate a CDS is restricted to be of length 1. That is all it knows on earth, and all it needs to know (with apologies to John Keats). -- Chris Thompson University of Cambridge Computing Service, Email: [email protected] New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
