DNSSEC -> subdomains -> keys

Ondřej Surý ondrej at isc.org
Sat Dec 7 17:58:36 UTC 2019

It is certainly possible, but it requires some manual changes to the respective public and private key files to match the zones.

But I would concur with Chuck that the benefit from doing so is nonexistent and unless you have specific strong reasons to do so, it’s better to have a separate key-pair for every signed zone.

Ondřej Surý — ISC

> On 7 Dec 2019, at 18:36, Chuck Aurora <ca at nodns4.us> wrote:
> On 2019-12-07 08:24, Elimar Riesebieter wrote:
>> is it possible to have one key pair for DNSSEC to sign subdomains in
>> different zonefiles?
> IIUC how it works, the generation of a key pair includes the zone name,
> so no, I do not think it is possible.  Also, and more to the point,
> there's no benefit to what you are asking.
> What is the problem you are hoping to solve?  If we know that perhaps
> we can suggest something else.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list