DNSSEC

[Paul Wouters]

On Tue, 29 Sep 2009, Chris Thompson wrote:

> On Sep 29 2009, Paveza, Gary wrote:
>
>> I'm currently working on setting up DNSSEC for all our zones.  I have a
>> question regarding keys.  Do you use different ZSK and KSKs for each zone?
>> Or do you use the same keys for all zones? 
>
> You can't really use the "same" ZSK and/or KSK for different zones, becaus
> they contain the zone name.

You could, but you should not. It affects the "life time" of the key too. And
signing thousands of domains with the same keys makes those keys much more
attractive to attackers. A thousand domains for the price of one brute force.

>> How do you handle the reverse zones since they can be comprised of many 
>> >different domain names?
>
> DNSSEC certainly adds to the aggravation of having lots of piddling little
> reverse zones. Some people may just decide not to bother signing reverse
> zones ("reverse lookup results should only be treated as a hint, anyway").

"different domain names"? They're still /24 zones. I would still sign them
so you can do things like put SSHFP records on them. Very valuable.

> What I would like to see is for more reverse zones to go away, by use
> of the scheme I describe in
>
> http://people.pwf.cam.ac.uk/cet1/prune-reverse-zones

I don't see how moving the reverse into a special forward zone decreases
management of it. I assume you'd still need to update the records when
neccessary. The only thing you're reducing might be the use of one DNSSEC
key for your "reverse mapped" zones in the forward tree.

Paul