Hi Tony, Thanks for your answer!
Op 23-08-18 om 18:40 schreef Tony Finch: > Paul van der Vlis <p...@vandervlis.nl> wrote: >> >> Is it possible to sign the ZSK key permanently with the KSK key? >> In this way I could keep the KSK key offline. > > The only(*) revocation mechanisms in DNSSEC are expiring signatures and > replacing keys. If you sign your DNSKEY records permanently, when anyone > manages to compromise them they will be able to spoof records in your zone > until you replace the KSK. > > In effect, what you will have done is coupled the keys together > permanently so they are of equivalent power, and eliminated all benefit of > keeping the KSK offline. > > The point of an offline KSK is to allow you to recover from compromise of > your ZSK without having to replace your DS records or other trust anchors. If the ZSK and KSK are on the same place, they will be compromized together I would say. > It's worth having a look at how the root DNSKEY RRset is managed: they get > the KSK out of storage a few times a year, when they generate RRSIG > records for the next few months. A long TTL is needed then. > (*) The other mechanism is the RFC 5011 revoked bit, which only applies to > KSKs that are being tracked as auto-updating trust anchors (managed-keys > etc.) but that doesn't apply to other records that depend on signature and > key rotation for revocation. Isn't it possible to revoke the ZSK key, and sign the zone with a new ZSK key? Without an offline KSK, I do not see a reason for both a KSK and a ZSK key. Do you? With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/ _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
