[dns-operations] Sharing a DNSSEC key between zones

Warren Kumari warren at kumari.net
Sun Jan 11 00:46:55 UTC 2015

On Friday, January 9, 2015, Tony Finch <fanf2 at cam.ac.uk> wrote:

> > On 9 Jan 2015, at 12:50, Stephane Bortzmeyer <bortzmeyer at nic.fr
> <javascript:;>> wrote:
> >
> > I'm looking for resources discussing the pros and cons of sharing
> > DNSSEC keys between zones.
> >
> > I find nothing in RFC 6841 or 6781. Any pointer?
> There is a paragraph about this at
> http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones
> It seems to me that most of the cost of DNSSEC key management is dealing
> with parent delegation changes.

Obligatory marketing message on automating this:



 Sharing keys between zones does NOT help with this, partly because the
> zone name is part of the DS hash, so DS records are different for the same
> key in different zones.
> About the only reason I can see for sharing keys is if you are using an
> HSM which does not support as many keys as you have zones.
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at <javascript:;>>  http://dotat.at
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <javascript:;>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150110/4e370e8a/attachment.html>

More information about the dns-operations mailing list