On Oct 4 2018, Mark Elkins wrote:
On 10/04/2018 05:03 PM, Roberto Carna wrote:
[...]
I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk <http://robert.com.uk>" and some
other domains from our clients, let's say:
client1.com.uk <http://client1.com.uk>
client2.edu.uk <http://client2.edu.uk>
client3.info.uk <http://client3.info.uk>
Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?
I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.
Even if you make the (RDATA of) the KSKs identical for the different zones
the DS records you will need to insert into the parent zones will be
different, because the hashing algorithm includes the KSK owner name
(i.e. the zone name) in its input. See RFC 4034 section 5.1.4.
Similarly using ZSKs with identical RDATA in the different zones will
not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.
(Use a different Key)
Yes. Because there are no advantages whatsoever in doing otherwise!
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
