DNSSEC: give KSK from my domain to parent zones
Chris Thompson
cet1 at cam.ac.uk
Fri Oct 5 15:57:53 UTC 2018
On Oct 4 2018, Mark Elkins wrote:
>On 10/04/2018 05:03 PM, Roberto Carna wrote:
[...]
>> I have two DNS servers running BIND 9.10, they have delegated my own
>> domain, let's say "robert.com.uk <http://robert.com.uk>" and some
>> other domains from our clients, let's say:
>>
>> client1.com.uk <http://client1.com.uk>
>> client2.edu.uk <http://client2.edu.uk>
>> client3.info.uk <http://client3.info.uk>
>>
>> Can I sign theses client zones with my ZSK, or do I have to have a
>> different key for each domain?
>
>I believe common practise is to create separate KSK and ZSK keys for
>each domain - so each domain will have their own DS records in the
>parent. This way, if one of the clients moves their domain to a new DNS
>provider - there is no security conflict in the move from shared keys.
Even if you make the (RDATA of) the KSKs identical for the different zones
the DS records you will need to insert into the parent zones will be
different, because the hashing algorithm includes the KSK owner name
(i.e. the zone name) in its input. See RFC 4034 section 5.1.4.
Similarly using ZSKs with identical RDATA in the different zones will
not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.
>(Use a different Key)
Yes. Because there are no advantages whatsoever in doing otherwise!
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list