[dns-operations] Sharing a DNSSEC key between zones

Peter Koch pk at denic.de
Sat Jan 10 10:25:01 UTC 2015

On Fri, Jan 09, 2015 at 07:10:28PM +0000, Tony Finch wrote:

> There is a paragraph about this at http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones

the argument regarding the extent of a compromise only holds if
you think of cryptanalitic rather than operational compromise,
unless you store all the keys differently.  Tough for high numbers.

> It seems to me that most of the cost of DNSSEC key management is dealing with parent delegation changes. Sharing keys between zones does NOT help with this, partly because the zone name is part of the DS hash, so DS records are different for the same key in different zones.

Unless of course, the parent exchange is based on DNSKEY.

> About the only reason I can see for sharing keys is if you are using an HSM which does not support as many keys as you have zones.

yes, or if you want to avoid the hassle of n hundred or m thousand
key generations/re-generations (for new zones/rollovers) compared to just one.

In practice, we do see a few registrants/registrars share keys
across zones.


More information about the dns-operations mailing list