Question about KSK

Phil Mayers p.mayers at
Fri Apr 27 13:09:31 UTC 2012

On 27/04/12 13:40, WBrown at wrote:
> We are authoritative for a few dozen small zones.  Is it possible to use
> the same KSK for all of them?  I can see where if it gets compromised we
> would need to resign all zones using the KSK at once.  How much effort
> would I be saving sharing the KSK?

That depends entirely on how you are signing and managing the zones.

IMO you might be creating more work for yourself, since it's a less 
common configuration.

> I'm sure there are plenty of other good reasons not to do this...
> Enlighten me!

It means you can't change the ZSK independent of the KSK, so any key 
changes involve parent DS changes too.

It means you have to keep the ZSK and KSK online; if you use a separate 
KSK, you could in theory keep that stored offline and only bring it 
online when the ZSK needs re-signing.

Known plaintext attacks. ZSK signs relatively larger amounts of data. 
Hence, if you buy this argument, ZSK should be rotated more frequently 
than KSK, implying separate keys.

etc. etc.

More information about the bind-users mailing list