> In your example above I personally would only use one set of keys for all > those domains, it would make my life so much easier. I suspect some DNS > providers will similarly share keys across their customers (or per server) > if they know they can control generation of RRs.
Bad idea, what happens when one customer would like to move his domain from your name server to another name server. Do you give him your mega-key or do you tell him to break his chain of trust during the move? /S ---------------------------------------------------------------------- Stephan Lagerholm Senior DNS Architect, M.Sc. ,CISSP Secure64 Software Corporation, www.secure64.com Cell: 469-834-3940 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
