[dns-operations] .fr has 5 DNSKEYs
Olafur Gudmundsson
ogud at ogud.com
Tue May 31 13:44:14 UTC 2011
On 30/05/2011 4:07 PM, Paul Wouters wrote:
> On Mon, 30 May 2011, Stephane Bortzmeyer wrote:
>
>> By the way, I forgot to explain the .FR configuration, sorry. We keep
>> a rescue key at all times. So the minimum number of keys is four (one
>> KSK, one rescue KSK, one ZSK, one rescue ZSK). During rollovers, there
>> is sometimes one more KSK or ZSK (and both if the rollovers happen to
>> overlap).
>
> Why would you need a "resue ZSK"? You can introduce any new ZSK at any
> time with zero notice provided your current KSK signs it. Is this
> something to do with HSMs in different locations?
>
Rescue ZSK makes sense if you do not have full confidence in your
signing system, or parts of it. In this case the Rescue key should use a
different signing system to take over when things go bad.
Having future/rescue ZSK published has much better properties than
introducing a new key when things go bad. During the rescue phase the
new version has both ZSK's in the DNSKEY set for a time that is bound by
the DNSKEY TTL + Largest TTL in the zone, and this timer starts when the
new version of the zone shows up on the last authoritative server.
Rescue KSK can be published as a DS w/o having the corresponding KSK in
the DNSKEY RRset. In this case I think IANA rules/processes are forcing
.fr to publish the public key before listing the DS.
Olafur
More information about the dns-operations
mailing list