[Opendnssec-develop] Zone moving between operators

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Mar 23 23:50:20 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's not really the point I am trying to make. I guess what I meant
was that if one key is used for many zones and it gets compromised it
could have great impact in the sense that all the zones need to be
rollovered, perhaps many DS records need to be replaced and many updates
need to go to the secondaries.

Another issue is that if zone A is transferred to another DNS party, and
zone uses a key that is in use for many zones. In that case, zone A
needs an immediate rollover, but the key should be kept alive because it
is use for other zones.

However, this is no issue if we decide one key should not span multiple
zones.

Matthijs

Jakob Schlyter schreef:
> On 23 mar 2009, at 11.54, Matthijs Mekking wrote:
> 
>> * Should we really want to use the same key for multiple zones? It could
>> have great impact if it became compromised. And does KASP has the logic
>> if a key for zone A needs to be rollovered, but must be kept for other
>> zones.
> 
> could you, or someone else, describe a scenario where one key in a HSM
> would be compromised and while other keys in the same HSM are not?
> (given that we use RSA with resonable key lengths)
> 
>     jakob
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBScggPA8yVCPsQCW5AQJsaggAwAToaht9aLYAkNY+0TeZTexZZWlyVjb3
c0nJ+NVFe2tjGG6/ZGjuQXkggQ+Jf8hIA23IVwMVTTjbYDY5q1fMVTVnWOaUJM1z
oKNIb5DwaBJtvJVXgCALWTf+Ud0yOE3sTCuBq1t2r9iahdcy3RbdnWeQqlmq6uAl
hEOWSVLmUBbj21FnG+CV0L8eR+TssRJkLdZmkQU+j6Dlop5OjmotTzfP/juGDlqG
YvZEI5m9T7Fjg4xISZh8gOvVUZpr278+8Fd0+V0xNRvyKgDtLguJyKfPqIkJnavD
ZDRruX+XTHNPSQ1kb/DzChsC0TV3XOHmrT+DFyIxSShpm3FTlNDppw==
=omdY
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list