Is it possible to use one KSK for multiple domains?

Chris Thompson cet1 at cam.ac.uk
Thu Nov 20 11:55:17 UTC 2008


On Nov 20 2008, Stephane Bortzmeyer wrote:

[...snipped...]
>[Warning: still struggling with the subtleties of KSK/ZSK.]
>
>The text you quote is for DNS publication. But you typically do not
>put KSK in the DNS, no?

Sure you do. How could a validator use it if you didn't? Perhaps
you meant: you would keep the private half of the KSK more securely
locked up than the private half of the ZSK?

The usual setup in a signed zone is

  DNSKEY RRset at zone apex: one RR for each KSK and for each ZSK
  RRSIG RRs for the DNSKEY RRset: one signed with each KSK
                              and one signed with each ZSK
  RRSIG RRs for all other RRsets: one signed with each ZSK

(allowing for multiple KSKs and ZSKs because of rollover).

That is, KSKs are used only to sign the DNSKEY RRset, and those
RRSIGs would typically be generated offline, even if the private
halves of the ZSKs are online.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk




More information about the bind-users mailing list