[dns-operations] Sharing a DNSSEC key between zones
Warren Kumari
warren at kumari.net
Sun Jan 11 00:46:55 UTC 2015
On Friday, January 9, 2015, Tony Finch <fanf2 at cam.ac.uk> wrote:
>
> > On 9 Jan 2015, at 12:50, Stephane Bortzmeyer <bortzmeyer at nic.fr
> <javascript:;>> wrote:
> >
> > I'm looking for resources discussing the pros and cons of sharing
> > DNSSEC keys between zones.
> >
> > I find nothing in RFC 6841 or 6781. Any pointer?
>
> There is a paragraph about this at
> http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones
>
> It seems to me that most of the cost of DNSSEC key management is dealing
> with parent delegation changes.
Obligatory marketing message on automating this:
https://tools.ietf.org/html/rfc7344
W
>
Sharing keys between zones does NOT help with this, partly because the
> zone name is part of the DS hash, so DS records are different for the same
> key in different zones.
>
> About the only reason I can see for sharing keys is if you are using an
> HSM which does not support as many keys as you have zones.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at <javascript:;>> http://dotat.at
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <javascript:;>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150110/4e370e8a/attachment.html>
More information about the dns-operations
mailing list