Ticket #481 (new enhancement)
Seperating KSK and ZSK to prevent compromise of KSK
|Reported by:||anon||Owned by:||ahu|
As the KSK in terms records is just 2 records, the DNSKEY-record for the public key part of the KSK and the RRSIG over all the DNSKEY-records.
If the RRSIG is added to the records-table, than the KSK private key does not have to be stored with the rest of the key material for other operations than changing keys.
The KSK private key could be kept in the filesystem, a HSM or not be replicated when using a database as in hidden master-like setup or offline.
It might not work with presigned because of ordering, but with presigned you might as well not even keep the cryptokeys table in the database.
It should work in theory with something like NSEC3-narrow.
I'm not sure about the other modes of DNSSEC operation PowerDNS supports.