[Dnssec-deployment] More than 90k DNSSEC domains in .CZ

[Olaf Kolkman]

On Mar 11, 2010, at 6:37 PM, Paul Wouters wrote:

> On Thu, 11 Mar 2010, Ondřej Surý wrote:
> 
>> Subject: [Dnssec-deployment] More than 90k DNSSEC domains in .CZ
> 
>> P.P.S.: Paul, to answer your question before you raise it. Yes, they do.
> 
> I really wish people would stop doing that. Perhaps we should add
> something to 4641bis about not re-using the same keys for many zones,
> to avoid creating desirable attack targets and avoid doing thousands of
> emergency key rollovers if the private key would be compromised.


From a pure key-management perspective that makes perfect sense but from an broad operational perspective there are several things that you will need to take into account:

- What is the value of the 90k domains that are protected to an attacker?

  o Does that value warrant an active attack on the private key, in other words: what are realistic cost estimates of such attack and what is the estimated economical loss if the attack succeeds?

- What are the costs and risks of operational failure if you only have to take care of 1 key versus 90k keys (in the extreme)?

To me the answers to those questions are not that trivial (I won't make an attempt to answer them here). But I could imagine that protecting 1 golden egg from breaking is easier than protecting 90k eggs in a big basket. (For those who are imaginative think of the amount of raw egg mess of 90k eggs [ca 4.500 kg]).

"Unique keys for every zone and purpose." may be prohibitively expensive in some cases and an economic necessity in others.

--Olaf



________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam