Skip to content

intro to DNSSEC skeleton#206

Merged
AlexanderBand merged 39 commits intomainfrom
intro
Oct 13, 2025
Merged

intro to DNSSEC skeleton#206
AlexanderBand merged 39 commits intomainfrom
intro

Conversation

@AlexanderBand
Copy link
Member

@AlexanderBand AlexanderBand commented Oct 11, 2025

No description provided.

ximon18
ximon18 reviewed Oct 12, 2025
View reviewed changes
@AlexanderBand AlexanderBand requested a review from a team October 12, 2025 20:13
@AlexanderBand AlexanderBand marked this pull request as ready for review October 12, 2025 20:13
@AlexanderBand
Copy link
Member Author

AlexanderBand commented Oct 12, 2025

This needs a review on content and structure before I do anything more. :)

ximon18
ximon18 reviewed Oct 12, 2025
View reviewed changes
@AlexanderBand
Copy link
Member Author

AlexanderBand commented Oct 13, 2025

To be clear, the glosaary is an exact copy of the terms in RFC 9499.

@ximon18
Copy link
Member

ximon18 commented Oct 13, 2025

Suggestion: Make the DNSSEC on the index page point to the new "An Intro to DNSSEC" page.

ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
maertsen
maertsen reviewed Oct 13, 2025
View reviewed changes
Copy link
Member

@maertsen maertsen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very readable imo., nice job. I made some suggestions here and there.

ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
doc/manual/source/intro.rst
Zone Signing Keys
"""""""""""""""""

Each zone in DNSSEC has a :term:`Zone signing key (ZSK)` set. The private
Copy link
Member

@ximon18 ximon18 Oct 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think talking about key sets is making this complex. In the simplest case a zone has a single signing key pair which signs all RRSETs in the zone. When using a single key this is called a CSK. For operational management purposes that signing may be separated into two steps, signing records which create the link in the trust tree with a KSK, and all other records in the zone with a ZSK. Additionally, when migrating one key to another there may be a second key of that "role" in the zone temporarily, or perhaps even a third for some multi-signer setups I believe. But as far as resolvers are concerned each RRSET in the zone needs to be verifiable using at least one of the zone apex DNSKEY RR public keys.

ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
ximon18
ximon18 reviewed Oct 13, 2025
View reviewed changes
@AlexanderBand AlexanderBand merged commit 77ce916 into main Oct 13, 2025
1 check passed
@AlexanderBand AlexanderBand deleted the intro branch October 13, 2025 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maertsen maertsen maertsen left review comments

@ximon18 ximon18 ximon18 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlexanderBand @ximon18 @maertsen