Question about KSK

Tony Finch dot at
Fri Apr 27 15:18:30 UTC 2012

WBrown at <WBrown at> wrote:

> We are authoritative for a few dozen small zones.  Is it possible to use
> the same KSK for all of them?  I can see where if it gets compromised we
> would need to resign all zones using the KSK at once.  How much effort
> would I be saving sharing the KSK?

With BIND it is much easier not to share keys - the easy-to-use signing
features (auto-dnssec maintain and dnssec-signzone -S) rely on key
filenames that contain the zone name.

f.anthony.n.finch  <dot at>
Forth, Tyne, Dogger, Northwest Fisher: Northwesterly, veering northeasterly, 4
or 5, occasionally 6 in Dogger. Slight or moderate, occasionally rough at
first. Showers. Good.

More information about the bind-users mailing list