On Sep 17 2014, Graham Clinch wrote:
[...snip...]
>dnssec-dnskey-kskonly seems to split the community - Cambridge,
>Leicester & Loughborough appear to have it set, Bath (SWURCC) & Imperial
>do not. I haven't worked out a good reason for having the ZSK sign the
>DNSKEY rrset, so I've gone for 'yes'. The additional signature probably
>wouldn't make much difference though.
The only reason ever proposed for signing the DNSKEY RRset with ZSKs that
has seemed sensible to me is in the case when you are doing a transition
between a KSK+ZSK setup and a ZSK-only one. Otherwise it just inflates
the DNS responses unnecessarily.
The root zone signs only with its (so far never changed!) KSK, which
perhaps ought to suggest best practice, and so do many of the early
signed TLDs, such as "com","net","edu", not to mention "uk" (but "org"
does sign with a ZSK). I did a check yesterday, and of the 530 signed
TLDs 206 (38.9%) sign only with KSK(s). "Traditional" TLDs show a
somewhat higher proportion (59/125 = 47.2%) compared to "new generic"
ones (147/405 = 36.3%). There is a table at
http://people.ds.cam.ac.uk/cet1/tld-dnskey-sigs
for those interested.
--
Chris Thompson University of Cambridge Information Services,
Email: [log in to unmask] Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
|