[dns-operations] .fr has 5 DNSKEYs
Edward Lewis
Ed.Lewis at neustar.biz
Tue May 31 12:47:10 UTC 2011
At 11:34 +0200 5/31/11, Stephane Bortzmeyer wrote:
>Pre-publishing the ZSK solves this problem.
>
>RFC 4641, section 4.2.1.1.
FWIW, US, BIZ and CO also normally have 4 keys, plus 1 when in a key
change. For the same reasons. And no, nothing "political."
You can't "just press a key into service" - that would shock the
system. Remember DNS is client-cache-server and not client-server.
That extra component (is what gave rise to DNSSEC in the first place
and) causes latency in all changes of course.
When a key is determined to be compromised, it is possible that just
a small population is impacted, say, one cache being poisoned.
(There are many scenarios.) If that's the case, you don't want to
squash the rest of the Internet's operations. That's why we always
have a "rescue" key. (We called it emergency, not that there's a
difference.)
Until we have an actual event, no one knows that to plan for.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?
More information about the dns-operations
mailing list