At 2:22 PM +0100 10/7/09, Joe Abley wrote: >From this perspective we might roll a ZSK more frequently than a KSK because >the ZSK needs to be stored on-line to facilitate re-signing when the zone >changes. With the KSK we have the option of keeping it off-line, and arguably >the risk of compromise is consequently lower. Regular testing of the machinery >is still important, however.
Please define "on-line" and "off-line". In the deployments I have heard of, both types of keys are stored with the same security procedures, but the ZSK might be stored in a physically different location (or not). The operational aspects of using the two keys are nearly identical. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
