[dns-operations] Sharing a DNSSEC key between zones

Olafur Gudmundsson ogud at ogud.com
Mon Jan 12 11:25:38 UTC 2015

> On Jan 9, 2015, at 7:50 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> I'm looking for resources discussing the pros and cons of sharing
> DNSSEC keys between zones.
> I find nothing in RFC 6841 or 6781. Any pointer?

I do not think there has been much thought given to this topic, 
for all practical purposes many  have just adopted the model 
“lets generate keys for each zone” 
Some Registrars acting as DNS operators seem to use the same key for all the zones they sign. 

If you think about it you need to balance few factors: 
	how closely are the zones tied together (policy question) 
	how are the zones signed i.e. signed by the same signer
	what is the overhead of managing many keys, both for signing and for rollovers
	what is the impact if a zone that shares a key wants to leave “operator” 
	The more zones share a key does that make the key more “valuable” as  target
	What is the key rotation policy for the zones (sharing implies the same) 
	Generating more keys increases the possibility of someone else generates the same key (unlikely) 
	Does algorithm choice make a difference



More information about the dns-operations mailing list