Re: Sign ZSK key permanently

Hi Tony, Thanks for your answer! Op 23-08-18 om 18:40 schreef Tony Finch: > Paul van der Vlis wrote: >> >> Is it possible to sign the ZSK key permanently with the KSK key? >> In this way I could keep the KSK key offline. > > The only(*) revocation mechanisms in DNSSEC are expiring signatures an

Re: Sign ZSK key permanently

> On 24 Aug 2018, at 2:05 am, Paul van der Vlis wrote: > > Hello, > > Is it possible to sign the ZSK key permanently with the KSK key? No. There is no way to signal this in a RRSIG. > If yes: how to do that? > > In this way I could keep the KSK key offline. > > With regards, > Paul van

Re: Sign ZSK key permanently

Paul van der Vlis wrote: > > Is it possible to sign the ZSK key permanently with the KSK key? > In this way I could keep the KSK key offline. The only(*) revocation mechanisms in DNSSEC are expiring signatures and replacing keys. If you sign your DNSKEY records permanently, when anyone manages to

Sign ZSK key permanently

Hello, Is it possible to sign the ZSK key permanently with the KSK key? If yes: how to do that? In this way I could keep the KSK key offline. With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/ ___