DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11


KSKs are Key Signing Keys, which are a type of DNSKEY. KSKs are used only to sign the keys contained within a zone. Because they are used to sign less data their usable cryptographic life time can be longer before needing to create new ones. They can also be longer since the longer signatures produced through their use will only be attached to a single RRset within a zone (the DNSKEY RRset). ZSKs on the other hand need to be changed on a more frequent basis since they are used to sign more data. KSKs are expected to be the keys configured for use by validating resolvers as Trust Anchors. Zonesigner creates and uses DNSKEYs to sign the contents of a zone file. Rollerd can be used to update keys on a regular schedule.

See Also

See Also. The Trust Anchor page has a long example of what needs to be done to validate a signature up until it reaches a Trust Anchor.