On Wed, Nov 19, 2008 at 09:55:52PM +0100, Adam Tkac <[EMAIL PROTECTED]> wrote a message of 17 lines which said:
> If I understand correctly what RFC 4034, section 2.1.1 says "... If > bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and > the DNSKEY RR's owner name MUST be the name of a zone..." it is > impossible. Each zone has to have his own KSK and ZSK pair, hasn't > it? [Warning: still struggling with the subtleties of KSK/ZSK.] The text you quote is for DNS publication. But you typically do not put KSK in the DNS, no? I would say, quoting Tolkien: one ZSK per zone, but only one KSK to sign them all. [AFNIC manages six TLD so the answer interests us, too.] _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
