Chris Thompson cet1 at cam.ac.uk
Tue Sep 29 13:46:31 UTC 2009

On Sep 29 2009, Paveza, Gary wrote:

>I'm currently working on setting up DNSSEC for all our zones.  I have a
>question regarding keys.  Do you use different ZSK and KSKs for each zone?
>Or do you use the same keys for all zones?  

You can't really use the "same" ZSK and/or KSK for different zones, because
they contain the zone name. You could go through contortions to use the
same crypto part (e.g. RSA modulus and exponent) for different zones, but
there really isn't any point in doing so. You still have to register each
zone with its parent (or in dlv.isc.org, say), and you would get no advantage

>How do you handle the reverse zones since they can be comprised of many >different domain names?

DNSSEC certainly adds to the aggravation of having lots of piddling little
reverse zones. Some people may just decide not to bother signing reverse
zones ("reverse lookup results should only be treated as a hint, anyway").

What I would like to see is for more reverse zones to go away, by use
of the scheme I describe in


(There probably ought to be a date in that - it was written last April.)

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list