[dns-operations] Aging TLD RSA DNSKEYs...
Steve.DeJong at team.neustar
Thu Jan 24 23:31:53 UTC 2019
On Jan 21, 2019, at 12:05 PM, Viktor Dukhovni <ietf-dane at dukhovni.org<mailto:ietf-dane at dukhovni.org>> wrote:
Out of these 203 TLDs 164 (80%) are operated by Neustar, Inc.
Regarding to nTLDStats <https://urldefense.proofpoint.com/v2/url?u=https-3A__ntldstats.com_backend_Neustar-2DInc&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=NoKMmUq-UYoYLc4rqpi3tC8yozjEBa38r4xqZM4cfhs&m=TSWSMB04KOBuEiQcUxyhsqgoCw_zZdzpqQdhfaw9YMA&s=RDzIkAf3yIO7tISyAswIYExm8cp0gP-EAdFsNC6QZps&e=>
Neustar operates 271 TLDs. Either they have done some key roll overs, or
Viktor missed some Neustar TLDs. ;-)
I have all the TLDs covered, so perhaps some did get rolled over,
or use keys stronger than 1024 bits.
One thing I did not mention (because I only checked now), is that
one reason for so many TLDs having similarly aged keys, is that in
fact 124 TLDs share the same pair of 1024-bit ZSKs, and 57 of them
also share a third 1024-bit ZSK, all present since Oct 2017 ("kid"
is a unique database id for each key):
Neustar registry teams are aware of the aging keys, technical teams are fully tasked on other projects at this time and we are planning the rollovers on a schedule that will not impact other product commitments.
- Steve DeJong
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations