[Dnssec-deployment] More than 90k DNSSEC domains in .CZ
Richard Lamb
richard.lamb at icann.org
Thu Mar 11 22:45:41 EST 2010
1000's
Sent from my iPhone
On Mar 11, 2010, at 13:14, "Sebastian Castro" <sebastian at nzrs.net.nz>
wrote:
> Paul Wouters wrote:
>> On Thu, 11 Mar 2010, Ondřej Surý wrote:
>>
>>> Subject: [Dnssec-deployment] More than 90k DNSSEC domains in .CZ
>>
>>> P.P.S.: Paul, to answer your question before you raise it. Yes,
>>> they do.
>>
>> I really wish people would stop doing that. Perhaps we should add
>> something to 4641bis about not re-using the same keys for many zones,
>> to avoid creating desirable attack targets and avoid doing
>> thousands of
>> emergency key rollovers if the private key would be compromised.
>>
>
> How many zones do you think is enough for one key?
> I agree it's a serious risk to have thousands of zones with same ZSK,
> but there are also complications associated to handle hundreds of
> keys.
>
> Anyone knows how many keys a typical HSM can handle? is it in the
> order
> of hundreds? thousands? How current key management software/products
> behave with lots (order of hundreds) keys?
>
>> Paul
>
> Cheers!
> --
> Sebastian Castro
> DNS Specialist
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 495 2337
> mobile: +64 21 400535
More information about the Dnssec-deployment
mailing list