[dns-operations] .fr has 5 DNSKEYs

Edward Lewis Ed.Lewis at neustar.biz
Tue May 31 12:47:10 UTC 2011

At 11:34 +0200 5/31/11, Stephane Bortzmeyer wrote:

>Pre-publishing the ZSK solves this problem.
>RFC 4641, section

FWIW, US, BIZ and CO also normally have 4 keys, plus 1 when in a key 
change.  For the same reasons.  And no, nothing "political."

You can't "just press a key into service" - that would shock the 
system.  Remember DNS is client-cache-server and not client-server. 
That extra component (is what gave rise to DNSSEC in the first place 
and) causes latency in all changes of course.

When a key is determined to be compromised, it is possible that just 
a small population is impacted, say, one cache being poisoned. 
(There are many scenarios.)  If that's the case, you don't want to 
squash the rest of the Internet's operations.  That's why we always 
have a "rescue" key.  (We called it emergency, not that there's a 

Until we have an actual event, no one knows that to plan for.
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?

More information about the dns-operations mailing list