[Dnssec-deployment] DNSKEY sharing across zones by a registrar

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sat Aug 7 00:59:46 EDT 2010



	for systems that share fate on other planes, this seems to be ok. (there is a shared
	TSIG key for all root-ops, because the systems share fate on other dimensions).  Jakob
	suggests that using the same keystore is a shared fate vector.  If that is the only one,
	then I'd look at the cost/benefit tradeoff much more closely.

--bill


On Fri, Jul 30, 2010 at 11:13:29AM +1200, Jay Daley wrote:
> Another question.  If a registrar were to share keys across the zones they operate then that would make their life considerably easier, but also increase the potential damage from an exploit of that key.  Any thoughts on the balance between those two concerns?
> 
> cheers
> Jay
> 
> -- 
> Jay Daley
> Chief Executive
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 931 6977
> mobile: +64 21 678840
> 


More information about the Dnssec-deployment mailing list