[Dnssec-deployment] DNSKEY sharing across zones by a registrar
Edward Lewis
Ed.Lewis at neustar.biz
Fri Jul 30 02:06:41 EDT 2010
At 11:13 +1200 7/30/10, Jay Daley wrote:
>Another question. If a registrar were to share keys across the zones they
>operate then that would make their life considerably easier, but also
>increase the potential damage from an exploit of that key. Any thoughts on
>the balance between those two concerns?
Up there with the debate on KSK/ZSK 2K/1K bit lengths - it was an
assumed rule by the ancients and now has been questioned by the
crypt-oians. My tune has become, regarding all things crypto "we
don't know nothing" and "only time will tell."
I think 1,2,5 years on we will be better off looking back and
examining the anecdotal evidence than trying to design into the
future now.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.
More information about the Dnssec-deployment
mailing list