DNSSEC -> subdomains -> keys
Ondřej Surý
ondrej at isc.org
Sat Dec 7 17:58:36 UTC 2019
It is certainly possible, but it requires some manual changes to the respective public and private key files to match the zones.
But I would concur with Chuck that the benefit from doing so is nonexistent and unless you have specific strong reasons to do so, it’s better to have a separate key-pair for every signed zone.
Ondrej
--
Ondřej Surý — ISC
> On 7 Dec 2019, at 18:36, Chuck Aurora <ca at nodns4.us> wrote:
>
> On 2019-12-07 08:24, Elimar Riesebieter wrote:
>> is it possible to have one key pair for DNSSEC to sign subdomains in
>> different zonefiles?
>
> IIUC how it works, the generation of a key pair includes the zone name,
> so no, I do not think it is possible. Also, and more to the point,
> there's no benefit to what you are asking.
>
> What is the problem you are hoping to solve? If we know that perhaps
> we can suggest something else.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list