On Thu, Nov 20, 2008 at 09:18:01AM +0000, Niall O'Reilly wrote: > On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote: > > does anyone know if is it possible to sign multiple domains with one > > KSK? > > Adam, > > I suspect your question may need to be more specific.
Right you are. > > Are you asking about the signing process itself, or rather > about how certain aspects of this process need to be exposed > in the DNS? > > The RFC-fragment you cite seems to me to require that each > signed zone needs its set of [KZ]SK exposed in the DNS, but > to be silent on whether a single key can be reused by appearing > as RDATA in the DNSKEY RRsets of multiple zones. > > I haven't read 4033/4034 thoroughly, so it's possible I may > have misunderstood completely. > > Best regards, > > Niall O'Reilly > I know people which maintains many domains so they would like to use scenario like this: - each zone has his own ZSK - all ZSKs are signed with one KSK and corresponding DS is in parent zone So, in theory, validation will look like: - get myzone.tld. DS from tld. - validate myzone.tld. DNSKEY (= validate KSK) - validate all ZSKs with myzone.tld. KSK If I understand correctly to section 2.1.1 of RFC 4034 then when I want validate for example "myzone1.tld." ZSK there are only two ways: - get myzone1.tld. DS from tld. zone - get another myzone1.tld. key which will validate it It isn't possible to validate myzone1.tld. with key from other zone, for example myzone2.tld., is it? Regards, Adam -- Adam Tkac, Red Hat, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
