[Opendnssec-user] Sharedkeys for multiple zones

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Mar 6 21:54:26 UTC 2017

Hi Arun,

>  Do you see any risk for sharing the same key pairs for multiple zone
> files?, except the fact that if the key is compromised all the zones are
> affected.

Yes*, but only in a specific case.

Normally using the same key for multiple zones is not a problem. Having
more signed data exposed does weaken your key, Though I don't think
conceptually there is any difference between signing 1000 1K record
zones versus 1 1000K record zone. It is just more data, which you can
mitigate by rolling your keys more often.

Now the specific case: when the zone content is not in your control.
I.e. you use the same key to sign the data of multiple costumers. If
your costumer can instruct your setup to sign chosen data (adding
records etc) it can use that to gain more knowledge about its key => and
thereby the key of others.

Best regards,

* I'm not a cryptographer. Please ask for a second opinion if a business
decision depends on it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170306/5fb77331/attachment.bin>

More information about the Opendnssec-user mailing list