GitLab

These DNSSEC-cabable servers are maintained at these DNSSEC-enabled domains: BIND → isc.org NSD → nlnetlabs.nl PowerDNS → powerdns.com KnotDNS → knot-dns.cz

Of the mentioned domains, only isc.org signs the DNSKEYs using ZSK.

Per thread “On obsoleting DNSSEC RFCs; Example from RFC 4035” from today at https://mailarchive.ietf.org/arch/browse/dnsop/ these extra RRSIG add to the payload, without having added value.

Please switch the default for dnssec-dnskey-kskonly to YES and possibly write some explanations why shall one want to use NO.

Also add some default, when the KSK is ECDSA P-256 (algorithm 13) and there are no ZKS, to use the KSK for singing anything, as this makes sense.

Per the fourt message of the mentioned discussion, state that with algorith 13 the answers fit in UDP and there is no need for ZKS: if the KSK in algorithm 13, then there is no need for ZKS. And possibly adjust this logic for ISC.ORG, or write in the documentation why you do not agree with this logic.