A KSK stands for Key Signing Key. A KSK is a public/private key pair. The KSK private key is used to generate a digital signature for the ZSK. The KSK public key is stored in the DNS to be used to authenticate the ZSK.
A ZSK is a Zone Signing Key. A ZSK is a public/private key pair. The ZSK private key is used to generate a digital signature, known as a Resource Record Signature (RRSIG), for each of the resource record sets (RRSET) in a zone. The ZSK public key is stored in the DNS to authenticate an RRSIG.
Each name within a DNSSEC signed zone will be covered by an RRSIG.
Comments