[dns-operations] Problems with .gov

Olafur Gudmundsson ogud at ogud.com
Mon Jan 31 16:59:11 UTC 2011

On 31/01/2011 10:40 AM, Stephane Bortzmeyer wrote:
> On Mon, Jan 31, 2011 at 03:13:49PM +0000,
>   Creighton, Tom<Tom_Creighton at cable.comcast.com>  wrote
>   a message of 74 lines which said:
>> Anyone else having problems?
> For .GOV itself, I notice that the KSK 26079, introduced on Jan 26th,
> was retired less than one hour ago (around 1500 UTC), while signatures
> of the DNSKEY set, made with it, were still in the caches (the TTL
> being one day). This may explain problems.
> Other thing that puzzles me, the DNSKEY set is now signed only with
> the KSK, not by any ZSK.
> Advice from DNSSEC experts? Problem or not?

Good practice, ZSK signatures on DNSKEY only represent waste of bits as 
no validator should ever validate them.


More information about the dns-operations mailing list