DNSSEC KSK

E212351

The DNSSEC KSK (Key Signing Key) is a long-term cryptographic key used to sign and authenticate a zone’s DNSKEY records, forming the trust anchor at the top of the DNSSEC validation chain.

All labels observed (1)

Label Occurrences
DNSSEC KSK canonical 3

How this entity was disambiguated

Statements (47)

Predicate Object
instanceOf DNSSEC key
cryptographic key
algorithm public-key cryptography algorithm
associatedWith DNSKEY record set
DNSSEC zone
canBe offline key
category DNS security extension
internet security
definedIn DNSSEC specifications
definedInStandard RFC 4033
RFC 4034
RFC 4035
distinguishedFrom DNSSEC ZSK
enables validation of DNSSEC-signed zones
forms trust anchor
hasKeyType KSK
hasKeyUsage signing DNSKEY RRset only
hasProperty private key component kept secret
public key component in DNSKEY record
hasRoleIn DNSSEC
identifiedBy DNSKEY flags field value 257
lifetime long-term key
mayUseAlgorithm Elliptic Curve Digital Signature Algorithm
surface form: ECDSA

EdDSA
RSA
notUsedFor signing general zone data
participatesIn DNSSEC chain of trust
positionInChain top of DNSSEC validation chain
publishedIn zone apex
relatedConcept DNSKEY record
DNSSEC ZSK
RRSIG record
trust anchor
requires periodic key rollover
secure key management
role key signing key
rotationProcess KSK rollover
scope single DNSSEC zone
securityImpactOfCompromise loss of trust in zone DNSSEC chain
signs DNSKEY RRset
zone DNSKEY records
storedAs DNSKEY resource record
trustModel configured trust anchor in validating resolvers
usedFor authenticating DNSKEY records
signing DNSKEY records
validatedBy DNS resolvers performing DNSSEC validation
trust anchor configuration in resolvers

How these facts were elicited

Referenced by (3)

Full triples — surface form annotated when it differs from this entity's canonical label.

DNSSEC ZSK trustAnchoredVia DNSSEC KSK
DNSSEC ZSK associatedWith DNSSEC KSK