[Dnssec-deployment] More than 90k DNSSEC domains in .CZ
olaf at NLnetLabs.nl
Fri Mar 12 04:24:11 EST 2010
On Mar 11, 2010, at 6:37 PM, Paul Wouters wrote:
> On Thu, 11 Mar 2010, Ondřej Surý wrote:
>> Subject: [Dnssec-deployment] More than 90k DNSSEC domains in .CZ
>> P.P.S.: Paul, to answer your question before you raise it. Yes, they do.
> I really wish people would stop doing that. Perhaps we should add
> something to 4641bis about not re-using the same keys for many zones,
> to avoid creating desirable attack targets and avoid doing thousands of
> emergency key rollovers if the private key would be compromised.
From a pure key-management perspective that makes perfect sense but from an broad operational perspective there are several things that you will need to take into account:
- What is the value of the 90k domains that are protected to an attacker?
o Does that value warrant an active attack on the private key, in other words: what are realistic cost estimates of such attack and what is the estimated economical loss if the attack succeeds?
- What are the costs and risks of operational failure if you only have to take care of 1 key versus 90k keys (in the extreme)?
To me the answers to those questions are not that trivial (I won't make an attempt to answer them here). But I could imagine that protecting 1 golden egg from breaking is easier than protecting 90k eggs in a big basket. (For those who are imaginative think of the amount of raw egg mess of 90k eggs [ca 4.500 kg]).
"Unique keys for every zone and purpose." may be prohibitively expensive in some cases and an economic necessity in others.
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Dnssec-deployment