[Opendnssec-user] Sharedkeys for multiple zones
arun at arunns.com
Thu Mar 9 09:51:53 UTC 2017
> Normally using the same key for multiple zones is not a problem. Having
> more signed data exposed does weaken your key, Though I don't think
> conceptually there is any difference between signing 1000 1K record
> zones versus 1 1000K record zone. It is just more data, which you can
> mitigate by rolling your keys more often.
trying to compare the effort/impact of maintaining separate keys for n
number of zones vs shared key for all those zones with a frequent roll over.
Yes the plain text attack - I believe it does not matter - shared keys
with multiple zones or a large zone with dedicated keys got the same risk?
the concerns of shared keys were also about the practical side:
- should the keys be rolled over at the same time for all zones?
- introducing new zones - does it really use the active shared key for
signing a new zones especially when the key is supposed to be dead, based
on an old zone policy?
Now the specific case: when the zone content is not in your control.
> I.e. you use the same key to sign the data of multiple costumers. If
> your costumer can instruct your setup to sign chosen data (adding
> records etc) it can use that to gain more knowledge about its key => and
> thereby the key of others.
Yes, I meant the zones belongs to one organization.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user