> On 18 Aug 2021, at 4:35 pm, Ralph Seichter <ra...@ml.seichter.de> wrote:
>
> I still use RSA keys (algorithm 8). My main point is that I find it more
> convenient to only roll ZSK, and to only place KSK data into the parent
> zone. The latter requires me to ask my hosting provider to manually
> update key material in the TLD zones, and I try to keep the frequency of
> these update low.
>
> "Your mileage may vary." ;-)
Yes, KSK + ZSK is substantially more compelling for RSA, where it makes
sense to have a 2048-bit "long-term" KSK, and a smaller ~1280-bit ZSK
rotated more often. The separate keys are also fine for ECDSA, but choosing
the CSK approach becomes ~equally valid.
--
Viktor.
