Re: Question about KSK
wbr...@e1b.org wrote: > We are authoritative for a few dozen small zones. Is it possible to use > the same KSK for all of them? I can see where if it gets compromised we > would need to resign all zones using the KSK at once. How much effort > would I be saving sharing the KSK? With BIND it is much easier not to share keys - the easy-to-use signing features (auto-dnssec maintain and dnssec-signzone -S) rely on key filenames that contain the zone name. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forth, Tyne, Dogger, Northwest Fisher: Northwesterly, veering northeasterly, 4 or 5, occasionally 6 in Dogger. Slight or moderate, occasionally rough at first. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
> I was mistakenly thinking the KSK also had an expiration as the > the ZSK does. Keys don't expire; signatures (RRSIGs) do. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
Jan-Piet wrote on 04/27/2012 10:22:39 AM: > > When the shared KSK needed to be rolled over, you would have to > > process DS records in the parents of your few dozen zones all at the > > same time. > > *If* you want to roll the KSK, a.k.a. "when did you last roll your SSH > keys?" :-) Correct. I was mistakenly thinking the KSK also had an expiration as the the ZSK does. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
> When the shared KSK needed to be rolled over, you would have to > process DS records in the parents of your few dozen zones all at the > same time. *If* you want to roll the KSK, a.k.a. "when did you last roll your SSH keys?" :-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
On 27/04/12 13:40, wbr...@e1b.org wrote: We are authoritative for a few dozen small zones. Is it possible to use the same KSK for all of them? I can see where if it gets compromised we would need to resign all zones using the KSK at once. How much effort would I be saving sharing the KSK? That depends entirely on how you are signing and managing the zones. IMO you might be creating more work for yourself, since it's a less common configuration. I'm sure there are plenty of other good reasons not to do this... Enlighten me! It means you can't change the ZSK independent of the KSK, so any key changes involve parent DS changes too. It means you have to keep the ZSK and KSK online; if you use a separate KSK, you could in theory keep that stored offline and only bring it online when the ZSK needs re-signing. Known plaintext attacks. ZSK signs relatively larger amounts of data. Hence, if you buy this argument, ZSK should be rotated more frequently than KSK, implying separate keys. etc. etc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about KSK
> We are authoritative for a few dozen small zones. Is it possible to use the > same KSK for all of them? I can see where if it gets compromised we would > need to resign all zones using the KSK at once. How much effort would I be > saving sharing the KSK? My sense is that you would be creating more effort, at least more concentrated effort, for yourself on the back end. When the shared KSK needed to be rolled over, you would have to process DS records in the parents of your few dozen zones all at the same time. Instead you could script dnssec-keygen to create unique KSKs for each zone, and in so doing you could adjust the timing metadata for each to spread this rollover workload over a suitable period of time. My sense is that keeping track of the KSK files themselves does not create a large amount of administrative overhead. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
On Fri, Apr 27, 2012 at 08:40:54AM -0400, wbr...@e1b.org wrote: > We are authoritative for a few dozen small zones. Is it possible to use > the same KSK for all of them? I can see where if it gets compromised we > would need to resign all zones using the KSK at once. How much effort > would I be saving sharing the KSK? > > I'm sure there are plenty of other good reasons not to do this... > Enlighten me! Don't know about reasons for or against, but Binero AB, a big provider in Sweden, signs thousands of their customers' zones with the same KSK and ZSK. Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about KSK
We are authoritative for a few dozen small zones. Is it possible to use the same KSK for all of them? I can see where if it gets compromised we would need to resign all zones using the KSK at once. How much effort would I be saving sharing the KSK? I'm sure there are plenty of other good reasons not to do this... Enlighten me! -- William Brown Messaging and Core Hosted Application Technical Teams Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
