[dns-operations] TLD .law - non-signing KSK with referenced DS
Ondřej Surý
ondrej at sury.org
Fri Jan 14 10:35:04 UTC 2022
Yes, the non-signing KSK could be offline disaster recovery key. There’s nothing wrong about having more keys in DS than used because the change process for DS is more complicated than swapping the active key in the zone.
Ondřej
--
Ondřej Surý <ondrej at sury.org> (He/Him)
> On 14. 1. 2022, at 11:31, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
>
> Having been looking at .law following what looks like a slightly
> sub-optimal redelegation (now complete), I notice that Zonemaster is
> reporting DNSSEC issues:-
>
> https://www.zonemaster.fr/result/f9fcceaef969aea1
>
>> DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with
>> tag 16819 that the the DS record refers to.
>
> whereas DNSViz reports no such problem:-
>
> https://dnsviz.net/d/law/YeEwEg/dnssec/
>
> Looking visually at the DNSViz output, the KSK 16819 does look strange as
> it is referenced by a DS but does not sign anything.
>
> Out of interest, do folks think this is a valid configuration?
>
> Best wishes,
> Matthew
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list