shared KSK for static zone and dynamic subzone?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 26 09:15:18 UTC 2011
On 04/26/2011 02:13 AM, /dev/rob0 wrote:
> I feel like I am understanding the "how" of this DNSSEC stuff, but
> I'm not so sure about some of the "whys". This post is asking a bit
> of both.
>
> I've got a static zone, nodns4.us., which is now signed. It's the
> parent zone to dynamic.nodns4.us., a dynamic zone. Is there any
> reason why I can't use the parent zone's KSK for the dynamic zone?
> Better yet, is there a reason why I shouldn't?
Better yet, why *would* you? Keys aren't exactly expensive to generate.
Anyway, the answer is "not really". The keys that bind generates include
the zone name, and you can't easily use a key whose name != zone, and
certainly not whose name is in a different zone.
You're just complicating your life to no benefit. Use a different key
for the child.
More information about the bind-users
mailing list