[dns-operations] Sharing a DNSSEC key between zones

Tony Finch fanf2 at cam.ac.uk
Fri Jan 9 19:10:28 UTC 2015

> On 9 Jan 2015, at 12:50, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> I'm looking for resources discussing the pros and cons of sharing
> DNSSEC keys between zones.
> I find nothing in RFC 6841 or 6781. Any pointer?

There is a paragraph about this at http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones

It seems to me that most of the cost of DNSSEC key management is dealing with parent delegation changes. Sharing keys between zones does NOT help with this, partly because the zone name is part of the DS hash, so DS records are different for the same key in different zones.

About the only reason I can see for sharing keys is if you are using an HSM which does not support as many keys as you have zones.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at

More information about the dns-operations mailing list