Hi Paul, > I'm looking at telling opendnssec to sign the DNSKEY RRset with both the > ZSK and KSK.
Interesting -- what would be the use of such a configuration? It would introduce more signatures, and so more things to check (overhead, delays) to the DNSKEY RRset, without introducing additional validation paths because the KSK is the mechanism to validate DNSKEY RRsets. Moreover, it could trigger concealed bugs -- for instance, a ZSK following a different algorithm than the KSK could influence the set of algorithms that is required by a validating resolver (presumably due to bugs) as a result of doing something so unconventional. I'm curious about your usage pattern that would make this a necessity? Cheers, -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
