[Opendnssec-develop] Zone moving between operators
John Dickinson
jad at jadickinson.co.uk
Tue Mar 24 10:30:29 UTC 2009
On 23 Mar 2009, at 23:50, Matthijs Mekking wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> That's not really the point I am trying to make. I guess what I meant
> was that if one key is used for many zones and it gets compromised it
> could have great impact in the sense that all the zones need to be
> rollovered, perhaps many DS records need to be replaced and many
> updates
> need to go to the secondaries.
>
> Another issue is that if zone A is transferred to another DNS party,
> and
> zone uses a key that is in use for many zones. In that case, zone A
> needs an immediate rollover, but the key should be kept alive
> because it
> is use for other zones.
>
> However, this is no issue if we decide one key should not span
> multiple
> zones.
But it is only an option - keys may be used for either 1 zone or all
zones in a policy.
John
More information about the Opendnssec-develop
mailing list