Sign ZSK key permanently

Tony Finch dot at
Thu Aug 23 16:40:39 UTC 2018

Paul van der Vlis <paul at> wrote:
> Is it possible to sign the ZSK key permanently with the KSK key?
> In this way I could keep the KSK key offline.

The only(*) revocation mechanisms in DNSSEC are expiring signatures and
replacing keys. If you sign your DNSKEY records permanently, when anyone
manages to compromise them they will be able to spoof records in your zone
until you replace the KSK.

In effect, what you will have done is coupled the keys together
permanently so they are of equivalent power, and eliminated all benefit of
keeping the KSK offline.

The point of an offline KSK is to allow you to recover from compromise of
your ZSK without having to replace your DS records or other trust anchors.

It's worth having a look at how the root DNSKEY RRset is managed: they get
the KSK out of storage a few times a year, when they generate RRSIG
records for the next few months.

(*) The other mechanism is the RFC 5011 revoked bit, which only applies to
KSKs that are being tracked as auto-updating trust anchors (managed-keys
etc.) but that doesn't apply to other records that depend on signature and
key rotation for revocation.

f.anthony.n.finch  <dot at>
justice and liberty cannot be confined by national boundaries

More information about the bind-users mailing list