[Opendnssec-develop] Zone moving between operators

John Dickinson jad at jadickinson.co.uk
Tue Mar 24 10:30:29 UTC 2009

On 23 Mar 2009, at 23:50, Matthijs Mekking wrote:

> Hash: SHA1
> That's not really the point I am trying to make. I guess what I meant
> was that if one key is used for many zones and it gets compromised it
> could have great impact in the sense that all the zones need to be
> rollovered, perhaps many DS records need to be replaced and many  
> updates
> need to go to the secondaries.
> Another issue is that if zone A is transferred to another DNS party,  
> and
> zone uses a key that is in use for many zones. In that case, zone A
> needs an immediate rollover, but the key should be kept alive  
> because it
> is use for other zones.
> However, this is no issue if we decide one key should not span  
> multiple
> zones.

But it is only an option - keys may be used for either 1 zone or all  
zones in a policy.


More information about the Opendnssec-develop mailing list