shared KSK for static zone and dynamic subzone?
/dev/rob0
rob0 at gmx.co.uk
Wed Apr 27 03:40:03 UTC 2011
On Tue, Apr 26, 2011 at 10:15:18AM +0100, Phil Mayers wrote:
> On 04/26/2011 02:13 AM, /dev/rob0 wrote:
> > Is there any
> >reason why I can't use the parent zone's KSK for the dynamic
> >zone? Better yet, is there a reason why I shouldn't?
>
> Better yet, why *would* you? Keys aren't exactly expensive to
> generate.
Again, the $SUBJECT problem is resolved, but I have come upon a
possible reason to reuse a key.
I'm setting up a private namespace (RFC 1918 networks and imaginary
domain names) named+dhcpd system with three static zones, a dynamic
forward zone, and two dynamic reverse zones. Six total.
I want all these zones to be signed. Why? No good reason, just a
learning exercise, actually. "Because I can."
Obviously I can't get into the root with DS records. I'm going to
have an "island of security."
Two or three other sites are running named and connected via VPN.
These sites need to be able to validate my signatures.
With one KSK and one ZSK per zone, we're looking at *12* keys to go
in the connected sites' trusted-keys. Errr, no, I guess I only need
the KSKs, but still, that's 6. I'd prefer that it be fewer than that.
One sounds simpler, in fact.
While writing this, a compromise came to me. :) I can run forward
zones as children of a single TLD, and use 168.192.in-addr.arpa. as
parent for all my reverse zones. :)
So that's what I'm going to do. Two more zones, four more keys, but
only two in trusted-keys. Tolerable.
> Anyway, the answer is "not really". The keys that bind generates
> include the zone name, and you can't easily use a key whose name
> != zone, and certainly not whose name is in a different zone.
>
> You're just complicating your life to no benefit. Use a different
> key for the child.
I'm a bit late to the DNSSEC party, what with the signed root being
in place already, but ISTM that these trusted-keys could be a major
management problem. Am I wrong? Is it still a problem?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
More information about the bind-users
mailing list