On Fri, Jan 09, 2015 at 07:10:28PM +0000, Tony Finch wrote: > There is a paragraph about this at > http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones
the argument regarding the extent of a compromise only holds if you think of cryptanalitic rather than operational compromise, unless you store all the keys differently. Tough for high numbers. > It seems to me that most of the cost of DNSSEC key management is dealing with > parent delegation changes. Sharing keys between zones does NOT help with > this, partly because the zone name is part of the DS hash, so DS records are > different for the same key in different zones. Unless of course, the parent exchange is based on DNSKEY. > About the only reason I can see for sharing keys is if you are using an HSM > which does not support as many keys as you have zones. yes, or if you want to avoid the hassle of n hundred or m thousand key generations/re-generations (for new zones/rollovers) compared to just one. In practice, we do see a few registrants/registrars share keys across zones. -Peter _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
