Cloudflare Shared DNSKEY Implementation



Right now, almost all DNSSEC-enabled domain on Cloudflare DNS uses this key with the key tag of 2371:

257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g==

with the exception of a few domain that I think was used during the early internal testing of DNSSEC (since those domains belongs to Cloudflare employees). From what I could see this key had been used for almost 2 years now since the release of Universal DNSSEC.

From what I read at the A Longitudinal, End-to-End View of the DNSSEC Ecosystem paper, shared key can increase the attack surface and key rollover is a recommended best practice (reference to RFC4641 section 3.3).

So, my questions are:

  1. Are there any plan to conduct DNSKEY rollover?
  2. Why do Cloudflare use shared DNSKEY in the first place? Also, are there any plan to shift from shared DNSKEY, and create a unique DNSKEY for each domain?


Saw this on Twitter:

That solved a part of Question 2 and the answer does make sense after thinking about this for a while. It would be more complex and space consuming if each domain have their own key.