Managing multiple equal zones with DNSSEC

Question

I run an authoritative name server (BIND), and I have a few dozens domain with identical zone files, i.e. they all use /etc/bind/db.default3.

I’m considering deploying DNSSEC on my server, but so far all documentation I found on it would require me to do many manual steps per zone (such as generating KSK and ZSK). BIND 9.9’s inline-signing makes some of it easier, but not everything.

So, can I make BIND, in inline-signing mode, use the same KSK for multiple domains? If so, will I be able to put the same value in the DS record for these domains? And why do I have to manage the ZSK – shouldn’t BIND, given a KSK, be able to take care of that for me?

Answer 1

You can use the same KSK for multiple domains, but it is not a good idea since it means that if there is a problem with this key (either cryptographically, you loose the private key, or you forget to renew it, etc.) it will impact more than one domain. For a given key, you can not have the same DS in multiple zones, since the DS value is computed from both the key and the domain name!

Also, recent attacks against SHA1 (see https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html or https://blog.apnic.net/2020/01/17/sha-1-chosen-prefix-collisions-and-dnssec/ for a full explanation of consequences for DNSSEC) can be mitigated a little if you make sure NOT TO use the same key for multiple zones. ("For extra protection against chosen prefix collision attacks, zones should not share keys, and they should have separate ZSKs and KSKs.")

And as Håkan said in comments, nowadays for new deployments you should use either ECDSAP256SHA256 or RSASHA256 (hence no SHA-1 whatsoever). See RFC 8624 section §3.1 (all SHA-1 versions there are either "MUST NOT" implement or "NOT RECOMMENDED").