Re: Is it possible to use one KSK for multiple domains?
On Wed, Nov 19, 2008 at 09:55:52PM +0100, Adam Tkac [EMAIL PROTECTED] wrote a message of 17 lines which said: If I understand correctly what RFC 4034, section 2.1.1 says ... If bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's owner name MUST be the name of a zone... it is impossible. Each zone has to have his own KSK and ZSK pair, hasn't it? [Warning: still struggling with the subtleties of KSK/ZSK.] The text you quote is for DNS publication. But you typically do not put KSK in the DNS, no? I would say, quoting Tolkien: one ZSK per zone, but only one KSK to sign them all. [AFNIC manages six TLD so the answer interests us, too.] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to use one KSK for multiple domains?
On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote: does anyone know if is it possible to sign multiple domains with one KSK? Adam, I suspect your question may need to be more specific. Are you asking about the signing process itself, or rather about how certain aspects of this process need to be exposed in the DNS? The RFC-fragment you cite seems to me to require that each signed zone needs its set of [KZ]SK exposed in the DNS, but to be silent on whether a single key can be reused by appearing as RDATA in the DNSKEY RRsets of multiple zones. I haven't read 4033/4034 thoroughly, so it's possible I may have misunderstood completely. Best regards, Niall O'Reilly ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to use one KSK for multiple domains?
On Thu, Nov 20, 2008 at 11:55:17AM +, Chris Thompson [EMAIL PROTECTED] wrote a message of 33 lines which said: The text you quote is for DNS publication. But you typically do not put KSK in the DNS, no? Sure you do. How could a validator use it if you didn't? Because it is published as a trust anchor? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users