[Opendnssec-user] A question about keys and such

Jake Zack jake.zack at cira.ca
Thu Jan 21 21:53:08 UTC 2016

Looking at a multi-domain signing solution...

I had assumed there would be a way to sign 50 domains using the same KSK/ZSK's...as it's been discussed at various DNS-OARC's and such (often negatively).

I have all 50 domains using the same "default" policy I've modified...and I run an 'ods-ksmutil key generate --policy=default --interval P5Y'...and it's created ~4000 keys.

As expected with this behavior, an 'ods-ksmutil key list -verbose' lists every key with it's attached domain.

So...is it not possible to have a whack of domains use the same keys with OpenDNSSEC?

Question 2...

When I ran the key generate, did it attach each key to a parent zone immediately?  Or is it only enforcerd that builds these relationships?

Question 3...

If I copy this setup to a second machine...upon the next key rotation, can I expect both machines to select the same key id's for the new incoming key?

Thanks again for the excellent community,
-Jacob Zack
Sr. DNS Administrator - CIRA (.CA TLD)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160121/9ad2f5cf/attachment.htm>

More information about the Opendnssec-user mailing list