11 May
2022
11 May
'22
2:07 p.m.
On 11 May 2022, at 12:53, Anand Buddhdev <anandb@ripe.net> wrote:
On Tuesday 3 May, we performed a DNSSEC Key Signing Key (KSK) roll-over for all the zones that we maintain and sign. During this roll-over, we dropped the Zone Signing Keys (ZSKs), and began signing the zones with just their new KSKs. Technically, these keys are the same as any other KSKs, but since they sign the entire zone, and there's no ZSK, such KSKs are informally known as Combined Signing Keys (CSKs).
Many thanks for the update Anand. Could you give a bit more detail on why you decided to dump the ZSKs? Was it just a matter of having fewer keys to manage and fewer moving parts that could break?