Paul van der Vlis <p...@vandervlis.nl> wrote: > > Is it possible to sign the ZSK key permanently with the KSK key? > In this way I could keep the KSK key offline.
The only(*) revocation mechanisms in DNSSEC are expiring signatures and replacing keys. If you sign your DNSKEY records permanently, when anyone manages to compromise them they will be able to spoof records in your zone until you replace the KSK. In effect, what you will have done is coupled the keys together permanently so they are of equivalent power, and eliminated all benefit of keeping the KSK offline. The point of an offline KSK is to allow you to recover from compromise of your ZSK without having to replace your DS records or other trust anchors. It's worth having a look at how the root DNSKEY RRset is managed: they get the KSK out of storage a few times a year, when they generate RRSIG records for the next few months. (*) The other mechanism is the RFC 5011 revoked bit, which only applies to KSKs that are being tracked as auto-updating trust anchors (managed-keys etc.) but that doesn't apply to other records that depend on signature and key rotation for revocation. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ justice and liberty cannot be confined by national boundaries _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
