Is it possible to use one KSK for multiple domains?
Adam Tkac
atkac at redhat.com
Thu Nov 20 13:15:47 UTC 2008
On Thu, Nov 20, 2008 at 09:18:01AM +0000, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
>
> Adam,
>
> I suspect your question may need to be more specific.
Right you are.
>
> Are you asking about the signing process itself, or rather
> about how certain aspects of this process need to be exposed
> in the DNS?
>
> The RFC-fragment you cite seems to me to require that each
> signed zone needs its set of [KZ]SK exposed in the DNS, but
> to be silent on whether a single key can be reused by appearing
> as RDATA in the DNSKEY RRsets of multiple zones.
>
> I haven't read 4033/4034 thoroughly, so it's possible I may
> have misunderstood completely.
>
> Best regards,
>
> Niall O'Reilly
>
I know people which maintains many domains so they would like to use
scenario like this:
- each zone has his own ZSK
- all ZSKs are signed with one KSK and corresponding DS is in parent
zone
So, in theory, validation will look like:
- get myzone.tld. DS from tld.
- validate myzone.tld. DNSKEY (= validate KSK)
- validate all ZSKs with myzone.tld. KSK
If I understand correctly to section 2.1.1 of RFC 4034 then when I
want validate for example "myzone1.tld." ZSK there are only two ways:
- get myzone1.tld. DS from tld. zone
- get another myzone1.tld. key which will validate it
It isn't possible to validate myzone1.tld. with key from other zone,
for example myzone2.tld., is it?
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
More information about the bind-users
mailing list