[dns-operations] Signing of the ARPA zone

Chris Thompson cet1 at cam.ac.uk
Mon Mar 15 11:03:08 UTC 2010


On Mar 11 2010, Roy Arends reported Joe Abley as writing:

[...]
>> The ARPA zone is about to be signed using DNSSEC. The technical parameters
>> by which ARPA will be signed are as follows:
>> 
>> KSK Algorithm and Size: 2048 bit RSA
>> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
>> KSK Signature Algorithm: SHA-256
>> Validity period for signatures made with KSK: 15 days; new signatures
>>   published every 10 days
>> ZSK Algorithm and Size: 1024 bit RSA
>> ZSK Rollover: every 3 months
>> ZSK Signature Algorithm: SHA-256
>> Authenticated proof of non-existence: NSEC
>> Validity period for signatures made with ZSK: 7 days; zone generated
>>   and re-signed twice per day

The servers that are delivering a signed "arpa" so far have DNSKEY/RRSIG
records using algorithm RSASHA1 (5) rather than RSASHA256 (8). Has there
been a change of plan in that respect?

$ dig +noall +answer +multi dnskey arpa. @l.root-servers.net
arpa.                   172800 IN DNSKEY 256 3 5 (
                                AwEAAbR/e2Se8s2zzu6emIa75O8KL3BRg1mxa1d8SM6d
                                qI0/wm7tI+9zNQtBQ2XYPQGJXJ1DdcZzGxMI63KtMBpa
                                d81zKxkET6VPUP2brNwZ3/8oB6/j+1m3zeFE4irMFYeq
                                RQE0Nb+ADeK1q/QVkQ67rRjECmbdjEEjFB8/AgNupmPP
                                ) ; key id = 4908
arpa.                   172800 IN DNSKEY 257 3 5 (
                                AwEAAa0YP86LTJFMhU6oLL9C2KZJYEPcmIeNJw8wOx+I
                                ZRv9qLU1Z92MpuXPltJdkhfrAgiQGfPQi/2Uy705In6M
                                0b2ZwRgKfBTvl6Tt6g0aEoFJErvzuyVH+kAiLNwTYh+N
                                OxczcIyCbpQXhY0dNOV5Tf5C3xzPvGTzFo9joau7SYdN
                                WfvsXVdTG7/C1xMd23KZkY077gM7S9NwWNLYEyjti8ix
                                LbDvHBHOGxGzuvqGtangqrKDchzk0evL13LZjgTyE7KH
                                A6ALx0jI26N48LwIz56jRHhshvXcIp4RWYbtaXsYmxbz
                                fMp0IBiraMD7O69E0rLdo13yQL9Pf/rtgPi1H7M=
                                ) ; key id = 59527

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list