[dns-operations] Sharing a DNSSEC key between zones
warren at kumari.net
Sun Jan 11 00:46:55 UTC 2015
On Friday, January 9, 2015, Tony Finch <fanf2 at cam.ac.uk> wrote:
> > On 9 Jan 2015, at 12:50, Stephane Bortzmeyer <bortzmeyer at nic.fr
> > I'm looking for resources discussing the pros and cons of sharing
> > DNSSEC keys between zones.
> > I find nothing in RFC 6841 or 6781. Any pointer?
> There is a paragraph about this at
> It seems to me that most of the cost of DNSSEC key management is dealing
> with parent delegation changes.
Obligatory marketing message on automating this:
Sharing keys between zones does NOT help with this, partly because the
> zone name is part of the DS hash, so DS records are different for the same
> key in different zones.
> About the only reason I can see for sharing keys is if you are using an
> HSM which does not support as many keys as you have zones.
> dns-operations mailing list
> dns-jobs mailing list
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations