[Opendnssec-user] A question about keys and such

Gilles Massen gilles.massen at restena.lu
Fri Jan 22 06:37:26 UTC 2016

Hi Jake,

On 01/21/2016 10:53 PM, Jake Zack wrote:

> So…is it not possible to have a whack of domains use the same keys with

Yes, it is. You'd need the <ShareKeys/> tag in the <Keys> section of
your policy.

> Question 2…
> When I ran the key generate, did it attach each key to a parent zone
> immediately?  Or is it only enforcerd that builds these relationships?

At least for 1.3.x, it does not attach keys to a zone (if you are using
shared keys). But the keys are attached to the policy (in the database -
not sure how you can see that using ods-ksmutil)

> Question 3…
> If I copy this setup to a second machine…upon the next key rotation, can
> I expect both machines to select the same key id’s for the new incoming key?

I'll pass on this one. In any case, if you have two machines identical
at some point in time, you might see a drift over time in the signatures
due to jitter. I don't know if/how this would apply to the key handling,
but in our case I planned for regular syncing between our two machines.


Fondation RESTENA - DNS-LU
2, avenue de l'Université
LU-4365 Esch-sur-Alzette
tel: +352.4244091
fax: +352.422473

More information about the Opendnssec-user mailing list