[Opendnssec-user] single KSK, multiple ZSKs

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Sep 13 20:54:28 UTC 2016

Hi Simon,

> Each zone file should
> be signed with its own ZSK, yet all ZSKs should be signed by a single
> KSK. What configuration steps are necessary to prevent OpenDNSSEC from
> generating an entirely new ZSK/KSK key-pair each time?

There is the <ShareKeys/> element in the <Keys> section as was there in
ODS 1.4. And it behaves mostly the same: both KSK ans ZSK will be
shared. So it does not match your requirements.

If you don't mind me asking, what are your motivations for not sharing
ZSKs as well?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160913/f6c8c894/attachment.bin>

More information about the Opendnssec-user mailing list