Hello,
Usually DNSSEC should use ZSK to sign zone record rather than directly use KSK, and ZSK is easier to frequently update, DNS providers like cloudflare usually use ZSK to sign as well
Hi cjydev,
Thanks for your message, and welcome to deSEC! 
Do you have any reasons or references for your suggestions?
Stay secure,
Peter
1 Like
Hi,peter
RFC 4033 (DNS Security Introduction and Requirements)
“Zone Signing Key (ZSK): An authentication key that corresponds to a private key used to sign a zone. Typically, a zone signing key will be part of the same DNSKEY RRset as the key signing key whose corresponding private key signs this DNSKEY RRset…”
“Key Signing Key (KSK): An authentication key that is used to sign other authentication keys (typically ZSKs)”
Using the KSK→ZSK→zone is a standardized solution and others cloudflare also use this
While using two different keys KSK and ZSK, the other approach where only one key is used is also standardized. So I wondered if you had any specific reasons for the split model.
RFC 6871 considers both models. Section 3.1 has motivations for the split, and ends with:
the operational complexity of a KSK-ZSK split may outweigh the costs of operational flexibility, and choosing a Single-Type Signing Scheme is a reasonable option.
We’ve determined that this is better in our case, and it’s fully standards compliant. If you still think this should change, we’d be interested in learning what your specific concerns are
Stay secure,
Peter
1 Like
Hello,
Thanks for the clarification.
In the Single-Type Signing moldue the KSK is signing everything, even short-lived records, and usually ZSK don’t rotate often, is more likely to stays active longer than ideal. And if KSK needs an emergency swap, it’s required to update the DS record on registy side.And i can see large dns providers, like azure aws cloudflare gcp all use ksk and zsk separated moldue
We understand these considerations.
Can you elaborate why our mode of operation is a problem for you?
Stay secure,
Peter
1 Like