Is it possible to use one KSK for multiple domains?
Niall O'Reilly
Niall.oReilly at ucd.ie
Thu Nov 20 09:18:01 UTC 2008
On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> does anyone know if is it possible to sign multiple domains with one
> KSK?
Adam,
I suspect your question may need to be more specific.
Are you asking about the signing process itself, or rather
about how certain aspects of this process need to be exposed
in the DNS?
The RFC-fragment you cite seems to me to require that each
signed zone needs its set of [KZ]SK exposed in the DNS, but
to be silent on whether a single key can be reused by appearing
as RDATA in the DNSKEY RRsets of multiple zones.
I haven't read 4033/4034 thoroughly, so it's possible I may
have misunderstood completely.
Best regards,
Niall O'Reilly
More information about the bind-users
mailing list