[dns-operations] .fr has 5 DNSKEYs

Olafur Gudmundsson ogud at ogud.com
Tue May 31 13:44:14 UTC 2011

On 30/05/2011 4:07 PM, Paul Wouters wrote:
> On Mon, 30 May 2011, Stephane Bortzmeyer wrote:
>> By the way, I forgot to explain the .FR configuration, sorry. We keep
>> a rescue key at all times. So the minimum number of keys is four (one
>> KSK, one rescue KSK, one ZSK, one rescue ZSK). During rollovers, there
>> is sometimes one more KSK or ZSK (and both if the rollovers happen to
>> overlap).
> Why would you need a "resue ZSK"? You can introduce any new ZSK at any
> time with zero notice provided your current KSK signs it. Is this
> something to do with HSMs in different locations?

Rescue ZSK makes sense if you do not have full confidence in your 
signing system, or parts of it. In this case the Rescue key should use a 
different signing system to take over when things go bad.

Having future/rescue ZSK published has much better properties than 
introducing a new key when things go bad. During the rescue phase the 
new version has both ZSK's in the DNSKEY set for a time that is bound by 
the DNSKEY TTL + Largest TTL in the zone, and this timer starts when the 
new version of the zone shows up on the last authoritative server.

Rescue KSK can be published as a DS w/o having the corresponding KSK in 
the DNSKEY RRset. In this case I think IANA rules/processes are forcing 
.fr to publish the public key before listing the DS.


More information about the dns-operations mailing list