On Oct 7 2009, Olaf Kolkman wrote:
[...]
At 4:09 PM -0400 10/6/09, Nicholas Weaver wrote:
Eric Rescorla has an explanation why the zone signing key rollover
mechanism in DNSSEC for the root is a bad idea: It doesn't
improve security and only makes things more complicated:
http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html
[...]
Really this is an DNSOP issues, more specifically an issue for
RFC4641bis.
[I've added dnsop, please remove namedroppers when replying to this
note]
Well, OK. This is arguably off-topic for both lists, but I was struck
by Eric quoting from
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
| First, there are Key Signing Keys (KSK) which are used to sign
| other DNSKEY records and the DS records.
^^^^^^^^^^^^^^^^^^
I wonder what gave them the idea that DS records were signed with
KSKs rather than (the parent's) ZSKs?
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
