> We are authoritative for a few dozen small zones.  Is it possible to use the 
> same KSK for all of them?  I can see where if it gets compromised we would 
> need to resign all zones using the KSK at once.  How much effort would I be 
> saving sharing the KSK?

My sense is that you would be creating more effort, at least more concentrated 
effort, for yourself on the back end. When the shared KSK needed to be rolled 
over, you would have to process DS records in the parents of your few dozen 
zones all at the same time. Instead you could script dnssec-keygen to create 
unique KSKs for each zone, and in so doing you could adjust the timing metadata 
for each to spread this rollover workload over a suitable period of time. My 
sense is that keeping track of the KSK files themselves does not create a large 
amount of administrative overhead.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to