[dns-operations] Aging TLD RSA DNSKEYs...

Arsen STASIC arsen.stasic at univie.ac.at
Mon Jan 21 13:46:30 UTC 2019

Hi Viktor,

* Viktor Dukhovni <ietf-dane at dukhovni.org> [2019-01-20 16:54 (-0500)]:
>Some TLDs have RSA ZSKs and KSKs that have gone unchanged since I
>first started capturing (hoarding) DNSKEY data on 2017-10-19.
>The total number of not yet seen to have rolled ZSKs is 798.
>The total number of not yet seen to have rolled KSKs is 1178.
>The attached tables, one for ZSKs and a second for KSKs, show for
>each TLD, the first observed date of the oldest extant key of each
>RSA bit length.  Sorted oldest to newest, then by RSA bit size, and
>finally by TLD name.
>It would be great if the operators of TLDs with 1024-bit ZSKs that
>are unchanged since 2017-10-19 or earlier would consider rolling
>over to new keys, and perhaps also switch to 1280-bit RSA keys, or
>ECDSA P-256 (algorithm 13).  The TLDs in question are:
>    aaa able accountant americanexpress amex analytics athleta
>    audible author aws ax az baby banamex bananarepublic baseball
>    best bg bible bid book booking bot buzz bw by ca call capetown
>    cartier cbn ceo chase chintai circle cisco citadel citi coupon
>    cricket date deal dealer dell deloitte discover download duns
>    dupont durban earth ee faith farmers fast ferrero fi fire flickr
>    fo ford fox free frl ftr gap gent got gr grainger gucci health
>    homegoods homesense honeywell hot hotels hr hsbc hyatt ieee
>    imdb intel intuit jmp jnj joburg jot joy jpmorgan kinder kindle
>    kiwi kpmg kpn kred like lilly lincoln lk loan marshalls mint
>    mlb mm moe moi mtr mutual na nfl now nyc office oldnavy open
>    osaka party pay pharmacy piaget pin ping praxi prime qpon qvc
>    racing read review rocher room safe safety samsung sas save
>    science secure sfr silk skype smile song spot statefarm stream
>    swiftcover sx taipei talk tdk tel teva tjmaxx tjx tkmaxx trade
>    tube tunes tushu uk uno vivo vu vuelos wanggou watches weather
>    weatherchannel webcam whoswho wien win winners wow ws xn--1ck2e1b
>    xn--1qqw23a xn--55qx5d xn--bck1b9a5dre4c xn--cck2b3b xn--cg4bki
>    xn--eckvdtc9d xn--fct429k xn--g2xx48c xn--gckr3f0f xn--gk3at1e
>    xn--io0a7i xn--jvr189m xn--kpu716f xn--l1acc xn--pbt977c
>    xn--rovu88b xn--wgbh1c yahoo yamaxun yandex you za zappos zero
>    zippo

Out of these 203 TLDs 164 (80%) are operated by Neustar, Inc.

Regarding to nTLDStats <https://ntldstats.com/backend/Neustar-Inc> 
Neustar operates 271 TLDs. Either they have done some key roll overs, or 
Viktor missed some Neustar TLDs. ;-)

for i in $( cat TLD.list ); do \
whois -h whois.iana.org $i | grep organisation: | tail -1 >> TLD.op.list \


More information about the dns-operations mailing list