On 27/04/12 13:40, wbr...@e1b.org wrote:
We are authoritative for a few dozen small zones. Is it possible to use
the same KSK for all of them? I can see where if it gets compromised we
would need to resign all zones using the KSK at once. How much effort
would I be saving sharing the KSK?
That depends entirely on how you are signing and managing the zones.
IMO you might be creating more work for yourself, since it's a less
common configuration.
I'm sure there are plenty of other good reasons not to do this...
Enlighten me!
It means you can't change the ZSK independent of the KSK, so any key
changes involve parent DS changes too.
It means you have to keep the ZSK and KSK online; if you use a separate
KSK, you could in theory keep that stored offline and only bring it
online when the ZSK needs re-signing.
Known plaintext attacks. ZSK signs relatively larger amounts of data.
Hence, if you buy this argument, ZSK should be rotated more frequently
than KSK, implying separate keys.
etc. etc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
