Is it possible to use one KSK for multiple domains?
Chris Thompson
cet1 at cam.ac.uk
Thu Nov 20 15:36:32 UTC 2008
On Nov 20 2008, Stephane Bortzmeyer wrote:
>On Thu, Nov 20, 2008 at 11:55:17AM +0000,
> Chris Thompson <cet1 at cam.ac.uk> wrote
> a message of 33 lines which said:
>
>>> The text you quote is for DNS publication. But you typically do not
>>> put KSK in the DNS, no?
>>
>> Sure you do. How could a validator use it if you didn't?
>
>Because it is published as a trust anchor?
In theory, I suppose that's true: the named.conf trusted-keys entries are
just the textual representation of a KSK. (I've not seen a secure zone
actually configured to leave out the KSK, though, so I'm not sure this
would work.)
But who wants to publish trust anchors? Much better to get the KSK
validated from the parent zone (DS record) or a trusted source (DLV record).
And neither of those have enough data to actually *reconstruct* the KSK.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list