[dns-operations] Problems with .gov
Olafur Gudmundsson
ogud at ogud.com
Mon Jan 31 16:59:11 UTC 2011
On 31/01/2011 10:40 AM, Stephane Bortzmeyer wrote:
> On Mon, Jan 31, 2011 at 03:13:49PM +0000,
> Creighton, Tom<Tom_Creighton at cable.comcast.com> wrote
> a message of 74 lines which said:
>
>> Anyone else having problems?
>
> For .GOV itself, I notice that the KSK 26079, introduced on Jan 26th,
> was retired less than one hour ago (around 1500 UTC), while signatures
> of the DNSKEY set, made with it, were still in the caches (the TTL
> being one day). This may explain problems.
>
> Other thing that puzzles me, the DNSKEY set is now signed only with
> the KSK, not by any ZSK.
>
> Advice from DNSSEC experts? Problem or not?
Good practice, ZSK signatures on DNSKEY only represent waste of bits as
no validator should ever validate them.
Olafur
More information about the dns-operations
mailing list