Hi Arun, > Do you see any risk for sharing the same key pairs for multiple zone > files?, except the fact that if the key is compromised all the zones are > affected.
Yes*, but only in a specific case. Normally using the same key for multiple zones is not a problem. Having more signed data exposed does weaken your key, Though I don't think conceptually there is any difference between signing 1000 1K record zones versus 1 1000K record zone. It is just more data, which you can mitigate by rolling your keys more often. Now the specific case: when the zone content is not in your control. I.e. you use the same key to sign the data of multiple costumers. If your costumer can instruct your setup to sign chosen data (adding records etc) it can use that to gain more knowledge about its key => and thereby the key of others. Best regards, Yuri * I'm not a cryptographer. Please ask for a second opinion if a business decision depends on it.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
