[Opendnssec-user]How to Manage Thousands of Zones's Keys
Rick van Rein
rick at openfortress.nl
Tue Oct 16 12:36:15 UTC 2012
> > Is it suitable for all the zones to share the same ZSK/KSK? Would
> > this cause some other some operation problems?
You should be aware that all zones share the same security scope; that
is, if you wanted to move one zone to another party then you could(*) have
real difficulty in treating that one zone well enough. This means that
it is not a sutiable model for hosting applications, where customers
might want to rely on OpenDNSSEC -- good service of such kind should of
course include secure transfers in/out if the customer wants it, that is,
without bringing down DNSSEC on a zone in transit.
(*) it depends on the model of KSK rolling that you are using, and that
in turn depends on how many DS's you can register with the parent.
In short, you are building in more dependencies than you should.
As for simplicity: we've used shared keys in our setup, forced by the HSM
solution that we started off with. We eventually migrated to a solution
with per-zone keys for precisely the reason of simplicity -- all the
actions we did were on bulk datasets anyway, so it didn't matter if there
was one object to handle, or many. We've run into quite a few bugs related
to shared keys, simply because we were one of the few utilising this
feature. I'm not sure if anyone is currently using it in a real-life
setup, but you would definately be in a somewhat exclusive club of
real-life testers for these features.
All other things being equal, I would advise against the use of shared
keys. The real complexity is in the variations of procedures you may
need to support, not in the size of a bulk key handling transaction.
More information about the Opendnssec-user