[Opendnssec-user] Sharedkeys for multiple zones

Emil Natan shlyoko at gmail.com
Thu Mar 9 11:36:10 UTC 2017

On Thu, Mar 9, 2017 at 11:51 AM, Arun Natarajan <arun at arunns.com> wrote:

> Normally using the same key for multiple zones is not a problem. Having
>> more signed data exposed does weaken your key, Though I don't think
>> conceptually there is any difference between signing 1000 1K record
>> zones versus 1 1000K record zone. It is just more data, which you can
>> mitigate by rolling your keys more often.
> thanks Yuri.
> trying to compare the effort/impact of maintaining separate keys for n
> number of zones vs shared key for all those zones with a frequent roll over.
> Yes the plain text attack - I believe it does not matter  - shared keys
> with multiple zones or a large zone with dedicated keys got the same risk?
> the concerns of shared keys were also about the practical side:
> - should the keys be rolled over at the same time for all zones?

I'm using shared keys for multiple zones. I set these zones under one
policy, then rotate the keys per policy and not per zone.

> - introducing new zones - does it really use the active shared key for
> signing a new zones especially when the key is supposed to be dead, based
> on an old zone policy?

Did not test this one, it's unlikely scenario in my case, but it worth a


> Now the specific case: when the zone content is not in your control.
>> I.e. you use the same key to sign the data of multiple costumers. If
>> your costumer can instruct your setup to sign chosen data (adding
>> records etc) it can use that to gain more knowledge about its key => and
>> thereby the key of others.
> Yes, I meant the zones belongs to one organization.
> --
> arun
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170309/036f5c94/attachment.htm>

More information about the Opendnssec-user mailing list