On 04/26/2011 02:13 AM, /dev/rob0 wrote:
I feel like I am understanding the "how" of this DNSSEC stuff, but
I'm not so sure about some of the "whys". This post is asking a bit
of both.
I've got a static zone, nodns4.us., which is now signed. It's the
parent zone to dynamic.nodns4.us., a dynamic zone. Is there any
reason why I can't use the parent zone's KSK for the dynamic zone?
Better yet, is there a reason why I shouldn't?
Better yet, why *would* you? Keys aren't exactly expensive to generate.
Anyway, the answer is "not really". The keys that bind generates include
the zone name, and you can't easily use a key whose name != zone, and
certainly not whose name is in a different zone.
You're just complicating your life to no benefit. Use a different key
for the child.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
