[Opendnssec-user] single KSK, multiple ZSKs

Simon Fromme fromme at tralios.de
Tue Sep 13 14:30:41 UTC 2016


I am currently trying to set up OpenDNSSEC 2.0.1 wanting to use a single 
KSK to sign the ZSKs of multiple zones.

Having not found any information on 
https://wiki.opendnssec.org/display/DOCS20/OpenDNSSEC, I'd be glad if 
somebody could provide me with a way to do this. Each zone file should 
be signed with its own ZSK, yet all ZSKs should be signed by a single 
KSK. What configuration steps are necessary to prevent OpenDNSSEC from 
generating an entirely new ZSK/KSK key-pair each time?

The possibility to do so seems to be a new feature of the recent 2.0 
version so looking at the older (but much more detailed) documentation 
did not help.

Thanks a lot!

More information about the Opendnssec-user mailing list