[dns-operations] Aging TLD RSA DNSKEYs...

DeJong, Steve Steve.DeJong at team.neustar
Thu Jan 24 07:35:44 UTC 2019

> On Jan 21, 2019, at 12:05 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Mon, Jan 21, 2019 at 02:46:30PM +0100, Arsen STASIC wrote:
>> Out of these 203 TLDs 164 (80%) are operated by Neustar, Inc.
>> Regarding to nTLDStats <https://urldefense.proofpoint.com/v2/url?u=https-3A__ntldstats.com_backend_Neustar-2DInc&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=NoKMmUq-UYoYLc4rqpi3tC8yozjEBa38r4xqZM4cfhs&m=TSWSMB04KOBuEiQcUxyhsqgoCw_zZdzpqQdhfaw9YMA&s=RDzIkAf3yIO7tISyAswIYExm8cp0gP-EAdFsNC6QZps&e=> 
>> Neustar operates 271 TLDs. Either they have done some key roll overs, or 
>> Viktor missed some Neustar TLDs. ;-)
> I have all the TLDs covered, so perhaps some did get rolled over,
> or use keys stronger than 1024 bits.
> One thing I did not mention (because I only checked now), is that
> one reason for so many TLDs having similarly aged keys, is that in
> fact 124 TLDs share the same pair of 1024-bit ZSKs, and 57 of them
> also share a third 1024-bit ZSK, all present since Oct 2017 ("kid"
> is a unique database id for each key):

Neustar registry teams are aware of the aging keys, technical teams are fully tasked on other projects at this time and we are planning the rollovers on a schedule that will not impact other product commitments.

- Steve DeJong

More information about the dns-operations mailing list