Sign ZSK key permanently

Paul van der Vlis paul at
Fri Aug 24 15:30:18 UTC 2018

Hi Tony,

Thanks for your answer!

Op 23-08-18 om 18:40 schreef Tony Finch:
> Paul van der Vlis <paul at> wrote:
>> Is it possible to sign the ZSK key permanently with the KSK key?
>> In this way I could keep the KSK key offline.
> The only(*) revocation mechanisms in DNSSEC are expiring signatures and
> replacing keys. If you sign your DNSKEY records permanently, when anyone
> manages to compromise them they will be able to spoof records in your zone
> until you replace the KSK.
> In effect, what you will have done is coupled the keys together
> permanently so they are of equivalent power, and eliminated all benefit of
> keeping the KSK offline.
> The point of an offline KSK is to allow you to recover from compromise of
> your ZSK without having to replace your DS records or other trust anchors.

If the ZSK and KSK are on the same place, they will be compromized
together I would say.

> It's worth having a look at how the root DNSKEY RRset is managed: they get
> the KSK out of storage a few times a year, when they generate RRSIG
> records for the next few months.

A long TTL is needed then.

> (*) The other mechanism is the RFC 5011 revoked bit, which only applies to
> KSKs that are being tracked as auto-updating trust anchors (managed-keys
> etc.) but that doesn't apply to other records that depend on signature and
> key rotation for revocation.
Isn't it possible to revoke the ZSK key, and sign the zone with a new
ZSK key?

Without an offline KSK, I do not see a reason for both a KSK and a ZSK
key. Do you?

With regards,
Paul van der Vlis

Paul van der Vlis Linux systeembeheer Groningen

More information about the bind-users mailing list