[dns-operations] Signatures expired at arin.net

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jan 11 16:02:17 UTC 2019

> On Jan 11, 2019, at 10:25 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> DS withdrawn from .net (but the TTL is one day, so it will linger) and
> new signatures published in zone 2017076125 (but the TTL of the old
> sigs is half a day).

And now signed again.  Though perhaps some non-emergency changes are warranted:

  * Switch from algorithm 5 to algorithm 8 or 13

  * If algorithm 8 consider at least a 1280-bit KSK

  * Sign the DNSKEY RRset with just the active KSK, rather than
    with two KSKs and also the ZSK, reducing the packet size.

See: http://dnsviz.net/d/arin.net/dnssec/



More information about the dns-operations mailing list