wbr...@e1b.org wrote:
> We are authoritative for a few dozen small zones. Is it possible to use
> the same KSK for all of them? I can see where if it gets compromised we
> would need to resign all zones using the KSK at once. How much effort
> would I be saving sharing the KSK?
With BIND it i
> I was mistakenly thinking the KSK also had an expiration as the
> the ZSK does.
Keys don't expire; signatures (RRSIGs) do.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
Jan-Piet wrote on 04/27/2012 10:22:39 AM:
> > When the shared KSK needed to be rolled over, you would have to
> > process DS records in the parents of your few dozen zones all at the
> > same time.
>
> *If* you want to roll the KSK, a.k.a. "when did you last roll your SSH
> keys?" :-)
Correct.
> When the shared KSK needed to be rolled over, you would have to
> process DS records in the parents of your few dozen zones all at the
> same time.
*If* you want to roll the KSK, a.k.a. "when did you last roll your SSH
keys?" :-)
-JP
___
Pleas
On 27/04/12 13:40, wbr...@e1b.org wrote:
We are authoritative for a few dozen small zones. Is it possible to use
the same KSK for all of them? I can see where if it gets compromised we
would need to resign all zones using the KSK at once. How much effort
would I be saving sharing the KSK?
Th
> We are authoritative for a few dozen small zones. Is it possible to use the
> same KSK for all of them? I can see where if it gets compromised we would
> need to resign all zones using the KSK at once. How much effort would I be
> saving sharing the KSK?
My sense is that you would be creat
On Fri, Apr 27, 2012 at 08:40:54AM -0400, wbr...@e1b.org wrote:
> We are authoritative for a few dozen small zones. Is it possible to use
> the same KSK for all of them? I can see where if it gets compromised we
> would need to resign all zones using the KSK at once. How much effort
> would I
7 matches
Mail list logo
