Is it possible to use one KSK for multiple domains?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Nov 20 08:16:42 UTC 2008
On Wed, Nov 19, 2008 at 09:55:52PM +0100,
Adam Tkac <atkac at redhat.com> wrote
a message of 17 lines which said:
> If I understand correctly what RFC 4034, section 2.1.1 says "... If
> bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and
> the DNSKEY RR's owner name MUST be the name of a zone..." it is
> impossible. Each zone has to have his own KSK and ZSK pair, hasn't
> it?
[Warning: still struggling with the subtleties of KSK/ZSK.]
The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?
I would say, quoting Tolkien: one ZSK per zone, but only one KSK to
sign them all.
[AFNIC manages six TLD so the answer interests us, too.]
More information about the bind-users
mailing list