DNSSEC -> subdomains -> keys

Hi all, is it possible to have one key pair for DNSSEC to sign subdomains in different zonefiles? Elimar -- The path to source is always uphill! -unknown- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-u

Re: DNSSEC -> subdomains -> keys

On 2019-12-07 08:24, Elimar Riesebieter wrote: is it possible to have one key pair for DNSSEC to sign subdomains in different zonefiles? IIUC how it works, the generation of a key pair includes the zone name, so no, I do not think it is possible. Also, and more to the point, there's no benefit

Re: DNSSEC -> subdomains -> keys

It is certainly possible, but it requires some manual changes to the respective public and private key files to match the zones. But I would concur with Chuck that the benefit from doing so is nonexistent and unless you have specific strong reasons to do so, it’s better to have a separate key-p