<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 9, 2017 at 11:51 AM, Arun Natarajan <span dir="ltr"><<a href="mailto:arun@arunns.com" target="_blank">arun@arunns.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Normally using the same key for multiple zones is not a problem. Having<br>
more signed data exposed does weaken your key, Though I don't think<br>
conceptually there is any difference between signing 1000 1K record<br>
zones versus 1 1000K record zone. It is just more data, which you can<br>
mitigate by rolling your keys more often.<br></blockquote><div><br></div></span><div>thanks Yuri.<br><br></div><div>trying to compare the effort/impact of maintaining separate keys for n number of zones vs shared key for all those zones with a frequent roll over.<br><br></div><div>Yes the plain text attack - I believe it does not matter - shared keys with multiple zones or a large zone with dedicated keys got the same risk?<br></div><div><br>the concerns of shared keys were also about the practical side:<br></div><div>- should the keys be rolled over at the same time for all zones?<br></div></div></div></div></div></blockquote><div><br></div><div>I'm using shared keys for multiple zones. I set these zones under one policy, then rotate the keys per policy and not per zone.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><div></div><div>- introducing new zones - does it really use the active shared key for signing a new zones especially when the key is supposed to be dead, based on an old zone policy?<br></div></div></div></div></div></blockquote><div><br></div><div>Did not test this one, it's unlikely scenario in my case, but it worth a try. </div><div><br></div><div>Emil</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Now the specific case: when the zone content is not in your control.<br>
I.e. you use the same key to sign the data of multiple costumers. If<br>
your costumer can instruct your setup to sign chosen data (adding<br>
records etc) it can use that to gain more knowledge about its key => and<br>
thereby the key of others.<br></blockquote><div> </div></span><div>Yes, I meant the zones belongs to one organization.<br></div><div>--<br></div><div>arun<br></div></div></div></div></div>
<br>______________________________<wbr>_________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.<wbr>opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/<wbr>mailman/listinfo/opendnssec-<wbr>user</a><br>
<br></blockquote></div><br></div></div>