Using one key to sign multiple zones (aka key sharing)
Mark Andrews
marka at isc.org
Wed Oct 13 13:33:02 UTC 2010
Named is written such that each DNSKEY has its own key files. This
stores meta data about the DNSKEY. There is nothing to prevent on
extracting the RSA key pair and re-using it for a differnet DNSKEY.
We just don't have a tool to do this.
If you are using a HSM then using dnssec-keyfromlabel multiple times
with the same label will do the same thing.
It basically comes down to whether you are working with a DNSKEY
or a RSA key and where the meta data is stored.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list