[Opendnssec-develop] Zone moving between operators

Jelte Jansen jelte at NLnetLabs.nl
Thu Mar 26 09:25:18 UTC 2009

Antoin Verschuren wrote:
> But then perhaps parents will dictate that policy.
> My worry is that in rollovers, the keys must move to the parent.
> Processing a giant amount of EPP messages (one per delegation) might be troublesome at a registry.
> I wouldn'd want our major webhoster to use one key for all it's domains. Our systems simply would not be able to process the changes without impact on other transactions. The updates need to be spread out.

As has been mentioned before, even if you use 1 key for each of your
75000 zones, and store all those keys in one place, chances are that
you're going to need to roll 75000 keys if that location is compromised.

> I would say one key for multiple zones is unwise.

Unwise in general, certainly. But i think there will be valid use-cases.

> And as a registry, I would probably forbid it in the policy. 

That's your choice. Or you could charge people with that many zones more ;)

A better way forward, at least for opendnssec, would imho be a way to
spread updates to parents; i.e. an option
'don't-send-more-than-X-DS-records-per-Y' or something. That will affect
other timing issues though.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090326/cdc50f01/attachment.bin>

More information about the Opendnssec-develop mailing list