[Dnssec-deployment] More than 90k DNSSEC domains in .CZ
Jakob Schlyter
jakob at kirei.se
Thu Mar 11 16:21:45 EST 2010
On 11 mar 2010, at 18.37, Paul Wouters wrote:
> I really wish people would stop doing that. Perhaps we should add
> something to 4641bis about not re-using the same keys for many zones,
> to avoid creating desirable attack targets and avoid doing thousands of
> emergency key rollovers if the private key would be compromised.
would you consider 10.000 zones with 10 RRs per zone, using the same key for all zones, different from one zone with 100.000 RRs?
if so, why?
given a reasonably secure key storage - what type of compromises are you mostly worried about?
jakob
More information about the Dnssec-deployment
mailing list