[Dnssec-deployment] DNSKEY sharing across zones by a registrar
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sat Aug 7 00:59:46 EDT 2010
for systems that share fate on other planes, this seems to be ok. (there is a shared
TSIG key for all root-ops, because the systems share fate on other dimensions). Jakob
suggests that using the same keystore is a shared fate vector. If that is the only one,
then I'd look at the cost/benefit tradeoff much more closely.
--bill
On Fri, Jul 30, 2010 at 11:13:29AM +1200, Jay Daley wrote:
> Another question. If a registrar were to share keys across the zones they operate then that would make their life considerably easier, but also increase the potential damage from an exploit of that key. Any thoughts on the balance between those two concerns?
>
> cheers
> Jay
>
> --
> Jay Daley
> Chief Executive
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 931 6977
> mobile: +64 21 678840
>
More information about the Dnssec-deployment
mailing list