[dns-operations] CO.ZA and ZA surprising number of DNSKEYs
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Sep 1 09:03:40 UTC 2019
While looking at an issue with a specific .co.za delegation,
I noticed that .co.za and .za have a surprisingly large
number of KSKs and ZSKs:
http://imrryr.org/~viktor/dnsviz/co.za.d/co.za.html
.ZA: 5 RSASHA256 KSKs and 6 ZSKs:
za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 11615 (active, DS in parent)
za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 40184 (active, DS in parent)
za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 54052 (inactive, DS in parent)
za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 45749 (inactive)
za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 8471 (inactive)
;
za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 17146 (active)
za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 3289 (inactive)
za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 28153 (inactive)
za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 55018 (inactive)
za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 60805 (inactive)
za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 38470 (inactive)
.CO.ZA: 3 RSASHA256 KSKs and 4 ZSKs:
co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 6827 (active, DS in parent)
co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 63277 (active)
co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 28207 (inactive)
;
co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 33723 (active)
co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 40501 (inactive)
co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 18216 (inactive)
co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 61704 (inactive)
Is this expected? The signed DNSKEY response for .ZA is 2879 bytes!
To me, it looks like neglected cleanup of stale keys...
--
Viktor.
More information about the dns-operations
mailing list