Question about KSK

Spain, Dr. Jeffry A. spainj at
Fri Apr 27 13:08:28 UTC 2012

> We are authoritative for a few dozen small zones.  Is it possible to use the same KSK for all of them?  I can see where if it gets compromised we would need to resign all zones using the KSK at once.  How much effort would I be saving sharing the KSK?

My sense is that you would be creating more effort, at least more concentrated effort, for yourself on the back end. When the shared KSK needed to be rolled over, you would have to process DS records in the parents of your few dozen zones all at the same time. Instead you could script dnssec-keygen to create unique KSKs for each zone, and in so doing you could adjust the timing metadata for each to spread this rollover workload over a suitable period of time. My sense is that keeping track of the KSK files themselves does not create a large amount of administrative overhead.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list