Question about KSK
Tony Finch
dot at dotat.at
Fri Apr 27 15:18:30 UTC 2012
WBrown at e1b.org <WBrown at e1b.org> wrote:
> We are authoritative for a few dozen small zones. Is it possible to use
> the same KSK for all of them? I can see where if it gets compromised we
> would need to resign all zones using the KSK at once. How much effort
> would I be saving sharing the KSK?
With BIND it is much easier not to share keys - the easy-to-use signing
features (auto-dnssec maintain and dnssec-signzone -S) rely on key
filenames that contain the zone name.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forth, Tyne, Dogger, Northwest Fisher: Northwesterly, veering northeasterly, 4
or 5, occasionally 6 in Dogger. Slight or moderate, occasionally rough at
first. Showers. Good.
More information about the bind-users
mailing list