[Opendnssec-user] A question about keys and such
gilles.massen at restena.lu
Fri Jan 22 06:37:26 UTC 2016
On 01/21/2016 10:53 PM, Jake Zack wrote:
> So…is it not possible to have a whack of domains use the same keys with
Yes, it is. You'd need the <ShareKeys/> tag in the <Keys> section of
> Question 2…
> When I ran the key generate, did it attach each key to a parent zone
> immediately? Or is it only enforcerd that builds these relationships?
At least for 1.3.x, it does not attach keys to a zone (if you are using
shared keys). But the keys are attached to the policy (in the database -
not sure how you can see that using ods-ksmutil)
> Question 3…
> If I copy this setup to a second machine…upon the next key rotation, can
> I expect both machines to select the same key id’s for the new incoming key?
I'll pass on this one. In any case, if you have two machines identical
at some point in time, you might see a drift over time in the signatures
due to jitter. I don't know if/how this would apply to the key handling,
but in our case I planned for regular syncing between our two machines.
Fondation RESTENA - DNS-LU
2, avenue de l'Université
More information about the Opendnssec-user