<br><br>On Friday, January 9, 2015, Tony Finch <<a href="mailto:fanf2@cam.ac.uk">fanf2@cam.ac.uk</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
> On 9 Jan 2015, at 12:50, Stephane Bortzmeyer <<a href="javascript:;" onclick="_e(event, 'cvml', 'bortzmeyer@nic.fr')">bortzmeyer@nic.fr</a>> wrote:<br>
><br>
> I'm looking for resources discussing the pros and cons of sharing<br>
> DNSSEC keys between zones.<br>
><br>
> I find nothing in RFC 6841 or 6781. Any pointer?<br>
<br>
There is a paragraph about this at <a href="http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones" target="_blank">http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#same-key-for-multiple-zones</a><br>
<br>
It seems to me that most of the cost of DNSSEC key management is dealing with parent delegation changes.</blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote><div><br></div><div>Obligatory marketing message on automating this:</div><div><a href="https://tools.ietf.org/html/rfc7344">https://tools.ietf.org/html/rfc7344</a><br></div><div><br></div><div>W<span></span></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Sharing keys between zones does NOT help with this, partly because the zone name is part of the DS hash, so DS records are different for the same key in different zones.<br>
<br>
About the only reason I can see for sharing keys is if you are using an HSM which does not support as many keys as you have zones.<br>
<br>
Tony.<br>
--<br>
f.anthony.n.finch <<a href="javascript:;" onclick="_e(event, 'cvml', 'dot@dotat.at')">dot@dotat.at</a>> <a href="http://dotat.at" target="_blank">http://dotat.at</a><br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="javascript:;" onclick="_e(event, 'cvml', 'dns-operations@lists.dns-oarc.net')">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
</blockquote><br><br>-- <br>I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf<br>