Right now, almost all DNSSEC-enabled domain on Cloudflare DNS uses this key with the key tag of
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== 256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g==
with the exception of a few domain that I think was used during the early internal testing of DNSSEC (since those domains belongs to Cloudflare employees). From what I could see this key had been used for almost 2 years now since the release of Universal DNSSEC.
From what I read at the A Longitudinal, End-to-End View of the DNSSEC Ecosystem paper, shared key can increase the attack surface and key rollover is a recommended best practice (reference to RFC4641 section 3.3).
So, my questions are:
- Are there any plan to conduct DNSKEY rollover?
- Why do Cloudflare use shared DNSKEY in the first place? Also, are there any plan to shift from shared DNSKEY, and create a unique DNSKEY for each domain?