[Opendnssec-user] single KSK, multiple ZSKs

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Sep 13 20:54:28 UTC 2016


Hi Simon,

> Each zone file should
> be signed with its own ZSK, yet all ZSKs should be signed by a single
> KSK. What configuration steps are necessary to prevent OpenDNSSEC from
> generating an entirely new ZSK/KSK key-pair each time?

There is the <ShareKeys/> element in the <Keys> section as was there in
ODS 1.4. And it behaves mostly the same: both KSK ans ZSK will be
shared. So it does not match your requirements.

If you don't mind me asking, what are your motivations for not sharing
ZSKs as well?

Regards,
Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160913/f6c8c894/attachment.bin>


More information about the Opendnssec-user mailing list