[dns-operations] Problems with .gov

David Blacka davidb at verisign.com
Mon Jan 31 17:12:00 UTC 2011

On Jan 31, 2011, at 10:40 AM, Stephane Bortzmeyer wrote:

> On Mon, Jan 31, 2011 at 03:13:49PM +0000,
> Creighton, Tom <Tom_Creighton at cable.comcast.com> wrote 
> a message of 74 lines which said:
>> Anyone else having problems?
> For .GOV itself, I notice that the KSK 26079, introduced on Jan 26th,
> was retired less than one hour ago (around 1500 UTC), while signatures
> of the DNSKEY set, made with it, were still in the caches (the TTL
> being one day). This may explain problems.

Just to be clear: KSK 26079 was the prior KSK and has been in the .gov zone since it was originally signed.  And by "retired", I assume you mean that a version of the .gov zone was published where that key is no longer present.  This is one of the latter steps in the KSK roll.  The DS record for the new KSK (53138) was published in the root well ahead of time, so there is a valid trust path through either the old DNSKEY RRset (with both 26079 and 53138) or the new DNSKEY RRset (just 53138.)

> Other thing that puzzles me, the DNSKEY set is now signed only with
> the KSK, not by any ZSK.
> Advice from DNSSEC experts? Problem or not?

Signing the DNSKEY RRset with only the KSK is normal.  See the root zone as an example.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

David Blacka                          <davidb at verisign.com> 
Principal Engineer    Verisign Platform Product Development

More information about the dns-operations mailing list