I'm currently working on setting up DNSSEC for all our zones. I have a question regarding keys. Do you use different ZSK and KSKs for each zone? Or do you use the same keys for all zones? How do you handle the reverse zones since they can be comprised of many different domain names?

If you have:



Do you just sign with one pair of keys for all zones?

Gary L. Paveza, Jr.
Technical Specialist - Architecture - HP CSE, SCSA

21st Century Insurance and Financial Services
3 Beaver Valley Road Wilmington Delaware 19803
Phone 302.252.4831


Relevant Pages

  • Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
    ... If they do not, firewalls are going to ... Keys need to expire, be revoked, replaced, etc. in a real world crypto ... There are operational zones currently being signed. ... (operationally signing their zones.) ...
  • BIND 9.7.2b1 is now available.
    ... BIND 9.7.2b1 is now available. ... The PGP signature of the binary kit for Windows XP and Window 2003 is at ... Zone configuration information for the new zones ... current managed keys combined with trusted keys. ...
  • Re: DNSSEC
    ... Or do you use the same keys for all zones? ... Some people may just decide not to bother signing reverse ... so you can do things like put SSHFP records on them. ...
  • Re: ISC BIND 9.7.0b1 is now available
    ... How many 5011-maintained zones are you running? ... I would expect the result of this to be that keys are not properly updated ... I'll have to look closer. ... Evan Hunt -- each@xxxxxxx ...