Is it possible to use one KSK for multiple domains?
Mark Andrews
Mark_Andrews at isc.org
Thu Nov 20 19:45:20 UTC 2008
In message <Prayer.1.3.1.0811201536320.13515 at hermes-1.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Nov 20 2008, Stephane Bortzmeyer wrote:
>
> >On Thu, Nov 20, 2008 at 11:55:17AM +0000,
> > Chris Thompson <cet1 at cam.ac.uk> wrote
> > a message of 33 lines which said:
> >
> >>> The text you quote is for DNS publication. But you typically do not
> >>> put KSK in the DNS, no?
> >>
> >> Sure you do. How could a validator use it if you didn't?
> >
> >Because it is published as a trust anchor?
>
> In theory, I suppose that's true: the named.conf trusted-keys entries are
> just the textual representation of a KSK. (I've not seen a secure zone
> actually configured to leave out the KSK, though, so I'm not sure this
> would work.)
>
> But who wants to publish trust anchors? Much better to get the KSK
> validated from the parent zone (DS record) or a trusted source (DLV record).
> And neither of those have enough data to actually *reconstruct* the KSK.
s/reconstruct/identify/
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list