[dns-operations] Surprisingly large cluster of domains sharing the same pair of 512-bit ZSKs and some more RSA key oddities

Patrick Mevzek mevzek at uniregistry.com
Thu Dec 14 21:02:46 UTC 2017

On 30/10/2017 07:49, Viktor Dukhovni wrote:
> Looking closely at the data gathered by the DANE survey I've
> run into more than 54 thousand (!!!) domains that have the same
> pair of 512-bit RSA keys for their ZSKs. 

As a loosely related fact maybe not so well known (and sorry if it is
well known), in some domain name registries you have the concept of
"DNSSEC key group", through a specific EPP extension (not a standard
one, there is at least 2 separate implementations of it in the wild).

With that, a registrar can create a set of some KSK/ZSK that it then
link to whatever number of domain names it sponsors. Of course the
registry then implements the keyData interface of the secDNS-1.1 and
deals itself with creating the appropriate DS records.

The accent is made on the fact that if you need to change a key in 1000
domains, that way you have only one operation to update the keygroup
object, instead of 1000 domain updates.

But the corollary is of course that the same key(s) are used for many

PS: some of the examples you give are in registries having this concept;
so the above may or may not explain some of your data

Patrick Mevzek

More information about the dns-operations mailing list