Comment Re:Can someone explain ZSK and KSK? (Score 1) 57
The KSK signs only DNSKEY records, and the ZSK signs all other relevant resource records in the zone. Your DNSSEC delegation comes from a DS record (a fingerprint of your KSK) which is included (and signed) in the delegating zone. The practical upshot of this is you can change your ZSK frequently without having to update the DS record upstream (thus contacting your delegator) every time you do so.