[dns-operations] Signatures expired at arin.net
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jan 11 16:02:17 UTC 2019
> On Jan 11, 2019, at 10:25 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
> DS withdrawn from .net (but the TTL is one day, so it will linger) and
> new signatures published in zone 2017076125 (but the TTL of the old
> sigs is half a day).
And now signed again. Though perhaps some non-emergency changes are warranted:
* Switch from algorithm 5 to algorithm 8 or 13
* If algorithm 8 consider at least a 1280-bit KSK
* Sign the DNSKEY RRset with just the active KSK, rather than
with two KSKs and also the ZSK, reducing the packet size.
See: http://dnsviz.net/d/arin.net/dnssec/
--
Viktor.
--
Viktor.
More information about the dns-operations
mailing list