Looking at a multi-domain signing solution... I had assumed there would be a way to sign 50 domains using the same KSK/ZSK's...as it's been discussed at various DNS-OARC's and such (often negatively).
I have all 50 domains using the same "default" policy I've modified...and I run an 'ods-ksmutil key generate --policy=default --interval P5Y'...and it's created ~4000 keys. As expected with this behavior, an 'ods-ksmutil key list -verbose' lists every key with it's attached domain. So...is it not possible to have a whack of domains use the same keys with OpenDNSSEC? Question 2... When I ran the key generate, did it attach each key to a parent zone immediately? Or is it only enforcerd that builds these relationships? Question 3... If I copy this setup to a second machine...upon the next key rotation, can I expect both machines to select the same key id's for the new incoming key? Thanks again for the excellent community, -Jacob Zack Sr. DNS Administrator - CIRA (.CA TLD)
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
