[dns-operations] Signing of the ARPA zone
Chris Thompson
cet1 at cam.ac.uk
Mon Mar 15 11:03:08 UTC 2010
On Mar 11 2010, Roy Arends reported Joe Abley as writing:
[...]
>> The ARPA zone is about to be signed using DNSSEC. The technical parameters
>> by which ARPA will be signed are as follows:
>>
>> KSK Algorithm and Size: 2048 bit RSA
>> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
>> KSK Signature Algorithm: SHA-256
>> Validity period for signatures made with KSK: 15 days; new signatures
>> published every 10 days
>> ZSK Algorithm and Size: 1024 bit RSA
>> ZSK Rollover: every 3 months
>> ZSK Signature Algorithm: SHA-256
>> Authenticated proof of non-existence: NSEC
>> Validity period for signatures made with ZSK: 7 days; zone generated
>> and re-signed twice per day
The servers that are delivering a signed "arpa" so far have DNSKEY/RRSIG
records using algorithm RSASHA1 (5) rather than RSASHA256 (8). Has there
been a change of plan in that respect?
$ dig +noall +answer +multi dnskey arpa. @l.root-servers.net
arpa. 172800 IN DNSKEY 256 3 5 (
AwEAAbR/e2Se8s2zzu6emIa75O8KL3BRg1mxa1d8SM6d
qI0/wm7tI+9zNQtBQ2XYPQGJXJ1DdcZzGxMI63KtMBpa
d81zKxkET6VPUP2brNwZ3/8oB6/j+1m3zeFE4irMFYeq
RQE0Nb+ADeK1q/QVkQ67rRjECmbdjEEjFB8/AgNupmPP
) ; key id = 4908
arpa. 172800 IN DNSKEY 257 3 5 (
AwEAAa0YP86LTJFMhU6oLL9C2KZJYEPcmIeNJw8wOx+I
ZRv9qLU1Z92MpuXPltJdkhfrAgiQGfPQi/2Uy705In6M
0b2ZwRgKfBTvl6Tt6g0aEoFJErvzuyVH+kAiLNwTYh+N
OxczcIyCbpQXhY0dNOV5Tf5C3xzPvGTzFo9joau7SYdN
WfvsXVdTG7/C1xMd23KZkY077gM7S9NwWNLYEyjti8ix
LbDvHBHOGxGzuvqGtangqrKDchzk0evL13LZjgTyE7KH
A6ALx0jI26N48LwIz56jRHhshvXcIp4RWYbtaXsYmxbz
fMp0IBiraMD7O69E0rLdo13yQL9Pf/rtgPi1H7M=
) ; key id = 59527
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list