On Thu, Mar 9, 2017 at 11:51 AM, Arun Natarajan <[email protected]> wrote:
> > Normally using the same key for multiple zones is not a problem. Having >> more signed data exposed does weaken your key, Though I don't think >> conceptually there is any difference between signing 1000 1K record >> zones versus 1 1000K record zone. It is just more data, which you can >> mitigate by rolling your keys more often. >> > > thanks Yuri. > > trying to compare the effort/impact of maintaining separate keys for n > number of zones vs shared key for all those zones with a frequent roll over. > > Yes the plain text attack - I believe it does not matter - shared keys > with multiple zones or a large zone with dedicated keys got the same risk? > > the concerns of shared keys were also about the practical side: > - should the keys be rolled over at the same time for all zones? > I'm using shared keys for multiple zones. I set these zones under one policy, then rotate the keys per policy and not per zone. > - introducing new zones - does it really use the active shared key for > signing a new zones especially when the key is supposed to be dead, based > on an old zone policy? > Did not test this one, it's unlikely scenario in my case, but it worth a try. Emil > Now the specific case: when the zone content is not in your control. >> I.e. you use the same key to sign the data of multiple costumers. If >> your costumer can instruct your setup to sign chosen data (adding >> records etc) it can use that to gain more knowledge about its key => and >> thereby the key of others. >> > > Yes, I meant the zones belongs to one organization. > -- > arun > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
