[Opendnssec-develop] Zone moving between operators
Antoin Verschuren
Antoin.Verschuren at sidn.nl
Wed Mar 25 23:36:30 UTC 2009
But then perhaps parents will dictate that policy.
My worry is that in rollovers, the keys must move to the parent.
Processing a giant amount of EPP messages (one per delegation) might be troublesome at a registry.
I wouldn'd want our major webhoster to use one key for all it's domains. Our systems simply would not be able to process the changes without impact on other transactions. The updates need to be spread out.
I would say one key for multiple zones is unwise.
And as a registry, I would probably forbid it in the policy.
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E antoin.verschuren at sidn.nl
W http://www.sidn.nl/
> -----Original Message-----
> From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-
> develop-bounces at lists.opendnssec.org] On Behalf Of roy at nominet.org.uk
> Sent: Wednesday, March 25, 2009 10:11 AM
> To: Rick van Rein
> Cc: Opendnssec-develop at lists.opendnssec.org; opendnssec-develop-
> bounces at lists.opendnssec.org; Matthijs Mekking
> Subject: Re: [Opendnssec-develop] Zone moving between operators
>
> Rick van Rein wrote on 03/25/2009 10:01:12 AM:
>
> > Hi,
> >
> > > However, this is no issue if we decide one key should not span
> multiple
> > > zones.
> >
> > This should neither be the default, nor should it be forbidden.
> > The administrator should be enabled to choose, based on the capacity
> > of the HSM in use (which may be a small USB key, remember).
> >
> > If you forbid it, you disable that cheap range of PKCS #11 devices.
> >
> > If you make it the default, you would not use the full power of a full
> HSM.
>
> I agree.
>
> The software should allow for several schemes, without dictating any
> policy.
>
> Regards,
>
> Roy Arends
> Sr. Researcher
> Nominet UK
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list