[Dnssec-deployment] More than 90k DNSSEC domains in .CZ
richard.lamb at icann.org
Thu Mar 11 22:45:41 EST 2010
Sent from my iPhone
On Mar 11, 2010, at 13:14, "Sebastian Castro" <sebastian at nzrs.net.nz>
> Paul Wouters wrote:
>> On Thu, 11 Mar 2010, Ondřej Surý wrote:
>>> Subject: [Dnssec-deployment] More than 90k DNSSEC domains in .CZ
>>> P.P.S.: Paul, to answer your question before you raise it. Yes,
>>> they do.
>> I really wish people would stop doing that. Perhaps we should add
>> something to 4641bis about not re-using the same keys for many zones,
>> to avoid creating desirable attack targets and avoid doing
>> thousands of
>> emergency key rollovers if the private key would be compromised.
> How many zones do you think is enough for one key?
> I agree it's a serious risk to have thousands of zones with same ZSK,
> but there are also complications associated to handle hundreds of
> Anyone knows how many keys a typical HSM can handle? is it in the
> of hundreds? thousands? How current key management software/products
> behave with lots (order of hundreds) keys?
> Sebastian Castro
> DNS Specialist
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 495 2337
> mobile: +64 21 400535
More information about the Dnssec-deployment