Hi Tony,
Thanks for your answer!
Op 23-08-18 om 18:40 schreef Tony Finch:
> Paul van der Vlis wrote:
>>
>> Is it possible to sign the ZSK key permanently with the KSK key?
>> In this way I could keep the KSK key offline.
>
> The only(*) revocation mechanisms in DNSSEC are expiring signatures an
> On 24 Aug 2018, at 2:05 am, Paul van der Vlis wrote:
>
> Hello,
>
> Is it possible to sign the ZSK key permanently with the KSK key?
No. There is no way to signal this in a RRSIG.
> If yes: how to do that?
>
> In this way I could keep the KSK key offline.
>
> With regards,
> Paul van
Paul van der Vlis wrote:
>
> Is it possible to sign the ZSK key permanently with the KSK key?
> In this way I could keep the KSK key offline.
The only(*) revocation mechanisms in DNSSEC are expiring signatures and
replacing keys. If you sign your DNSKEY records permanently, when anyone
manages to
3 matches
Mail list logo
