DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11
KSKs are Key Signing Keys, which are a type of DNSKEY
. KSKs are used only to sign the keys contained within a zone. Because they are used to sign less data their usable cryptographic life time can be longer before needing to create new ones. They can also be longer since the longer signatures produced through their use will only be attached to a single RRset
within a zone (the DNSKEY
on the other hand need to be changed on a more frequent basis since they are used to sign more data. KSKs are expected to be the keys configured for use by validating resolvers as Trust Anchors
creates and uses DNSKEYs
to sign the contents of a zone file.
can be used to update keys on a regular schedule.
The Trust Anchor
page has a long example of what needs to be done to validate a signature up until it reaches a Trust Anchor