DNSSEC ZSK
E38040
DNSSEC ZSK (Zone Signing Key) is the cryptographic key used in DNS Security Extensions to sign individual DNS zone data, ensuring the authenticity and integrity of DNS responses.
Statements (44)
| Predicate | Object |
|---|---|
| instanceOf |
DNSSEC key
→
cryptographic key → |
| abbreviationOf |
Zone Signing Key
→
|
| algorithm |
ECDSA
→
EdDSA → RSA → |
| associatedWith |
DNSSEC KSK
→
|
| belongsToStandard |
DNSSEC
→
|
| canBeStoredIn |
HSM
→
|
| category |
DNS infrastructure
→
internet security → |
| definedIn |
DNSSEC operational practices RFCs
→
RFC 4034 → RFC 4035 → |
| doesNotProvide |
confidentiality
→
|
| fullName |
DNSSEC Zone Signing Key
→
|
| keyLength |
typically shorter than KSK
→
|
| keyType |
asymmetric key
→
|
| lifetime |
shorter operational lifetime than KSK
→
|
| managedBy |
zone operator
→
|
| operationalRole |
sign operational zone data
→
|
| produces |
RRSIG records
→
|
| purpose |
ensure authenticity of DNS responses
→
ensure integrity of DNS responses → sign DNS zone data → |
| representation |
DNSKEY RR with ZSK flag
→
|
| rotatedMoreFrequentlyThan |
DNSSEC KSK
→
|
| rotationPractice |
periodic key rollover
→
|
| scope |
single DNS zone
→
|
| securityProperty |
data integrity
→
data origin authentication → |
| signs |
DNS resource record sets
→
zone data → |
| storedIn |
DNS zone
→
|
| threatMitigated |
DNS cache poisoning
→
DNS response spoofing → |
| trustAnchoredVia |
DNSSEC KSK
→
|
| usedBy |
authoritative DNS servers
→
|
| usedIn |
DNS Security Extensions
→
|
| usedWith |
DNSKEY records
→
|
| validatedBy |
DNS resolvers supporting DNSSEC
→
|
| verifiableBy |
validating recursive resolvers
→
|
| verificationInput |
RRSIG and DNSKEY records
→
|
| verificationMechanism |
public key in DNSKEY record
→
|
Referenced by (1)
| Subject (surface form when different) | Predicate |
|---|---|
|
Domain Name System root zone
→
|
hasKeyType |