[Opendnssec-user]How to Manage Thousands of Zones's Keys

WBrown at e1b.org WBrown at e1b.org
Tue Oct 16 12:14:40 UTC 2012

刘硕 <shuoleo at 126.com> wrote on 10/16/2012 04:18:35 AM:

> Is it suitable for all the zones to share the same ZSK/KSK? Would 
> this cause some other some operation  problems? Or should 
I am just starting with DNSSEC and asked the same question on another 
list.  I was told that you can do it.  The trade-off is simplicity vs. 
security.  If the key for one zone is compromised, it affects all zones. 
Also, all zones need to rollover at the same time.  The suggestion made on 
that list was to not share the keys.

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the Opendnssec-user mailing list