[dns-operations] Aging TLD RSA DNSKEYs...
arsen.stasic at univie.ac.at
Mon Jan 21 13:46:30 UTC 2019
* Viktor Dukhovni <ietf-dane at dukhovni.org> [2019-01-20 16:54 (-0500)]:
>Some TLDs have RSA ZSKs and KSKs that have gone unchanged since I
>first started capturing (hoarding) DNSKEY data on 2017-10-19.
>The total number of not yet seen to have rolled ZSKs is 798.
>The total number of not yet seen to have rolled KSKs is 1178.
>The attached tables, one for ZSKs and a second for KSKs, show for
>each TLD, the first observed date of the oldest extant key of each
>RSA bit length. Sorted oldest to newest, then by RSA bit size, and
>finally by TLD name.
>It would be great if the operators of TLDs with 1024-bit ZSKs that
>are unchanged since 2017-10-19 or earlier would consider rolling
>over to new keys, and perhaps also switch to 1280-bit RSA keys, or
>ECDSA P-256 (algorithm 13). The TLDs in question are:
> aaa able accountant americanexpress amex analytics athleta
> audible author aws ax az baby banamex bananarepublic baseball
> best bg bible bid book booking bot buzz bw by ca call capetown
> cartier cbn ceo chase chintai circle cisco citadel citi coupon
> cricket date deal dealer dell deloitte discover download duns
> dupont durban earth ee faith farmers fast ferrero fi fire flickr
> fo ford fox free frl ftr gap gent got gr grainger gucci health
> homegoods homesense honeywell hot hotels hr hsbc hyatt ieee
> imdb intel intuit jmp jnj joburg jot joy jpmorgan kinder kindle
> kiwi kpmg kpn kred like lilly lincoln lk loan marshalls mint
> mlb mm moe moi mtr mutual na nfl now nyc office oldnavy open
> osaka party pay pharmacy piaget pin ping praxi prime qpon qvc
> racing read review rocher room safe safety samsung sas save
> science secure sfr silk skype smile song spot statefarm stream
> swiftcover sx taipei talk tdk tel teva tjmaxx tjx tkmaxx trade
> tube tunes tushu uk uno vivo vu vuelos wanggou watches weather
> weatherchannel webcam whoswho wien win winners wow ws xn--1ck2e1b
> xn--1qqw23a xn--55qx5d xn--bck1b9a5dre4c xn--cck2b3b xn--cg4bki
> xn--eckvdtc9d xn--fct429k xn--g2xx48c xn--gckr3f0f xn--gk3at1e
> xn--io0a7i xn--jvr189m xn--kpu716f xn--l1acc xn--pbt977c
> xn--rovu88b xn--wgbh1c yahoo yamaxun yandex you za zappos zero
Out of these 203 TLDs 164 (80%) are operated by Neustar, Inc.
Regarding to nTLDStats <https://ntldstats.com/backend/Neustar-Inc>
Neustar operates 271 TLDs. Either they have done some key roll overs, or
Viktor missed some Neustar TLDs. ;-)
for i in $( cat TLD.list ); do \
whois -h whois.iana.org $i | grep organisation: | tail -1 >> TLD.op.list \
More information about the dns-operations