Is it possible to use one KSK for multiple domains?
Chris Thompson
cet1 at cam.ac.uk
Thu Nov 20 11:43:05 UTC 2008
On Nov 19 2008, Adam Tkac wrote:
>does anyone know if is it possible to sign multiple domains with one KSK?
>
>If I understand correctly what RFC 4034, section 2.1.1 says "... If bit 7
>has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY
>RR's owner name MUST be the name of a zone..." it is impossible. Each zone
>has to have his own KSK and ZSK pair, hasn't it?
It depends what you mean. The owner name has to be different, obviously,
but the DNSKEY records for the KSK(s) (or ZSK(s), for that matter) could
have identical rdata in different zones: i.e. they could specify the same
encryption key. Whether this would be a *good* thing to do is doubtful:
it wouldn't seem to save you anything in the signing process. Even if both
KSKs and ZSKs in different zones had identical rdata, the RRSIG records
for the DNSKEY RRset would not (because the owner name gets fed into the
hashed data).
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list