[dns-operations] CO.ZA and ZA surprising number of DNSKEYs
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Sep 1 15:04:20 UTC 2019
On Sun, Sep 01, 2019 at 05:03:40AM -0400, Viktor Dukhovni wrote:
> While looking at an issue with a specific .co.za delegation,
> I noticed that .co.za and .za have a surprisingly large
> number of KSKs and ZSKs:
>
> http://imrryr.org/~viktor/dnsviz/co.za.d/co.za.html
>
> [...]
>
> To me, it looks like neglected cleanup of stale keys...
FWIW, the .ZA chronology is roughly (survey starts 2017-10-19, and
the keys seen at that time may date back considerably further):
flags | alg | bits | first seen | last seen
------+-----+------+------------+------------
256 | 8 | 1024 | < 2017-10 |
256 | 8 | 1024 | < 2017-10 |
256 | 8 | 1024 | < 2017-10 | 2018-01-17
256 | 8 | 1024 | 2018-01-25 |
256 | 8 | 1024 | 2018-02-08 |
256 | 8 | 1024 | 2018-06-10 |
256 | 8 | 1024 | 2019-08-09 |
flags | alg | bits | first seen | last seen
------+-----+------+------------+------------
257 | 8 | 2048 | < 2017-10 |
257 | 8 | 2048 | < 2017-10 |
257 | 8 | 2048 | < 2017-10 |
257 | 8 | 2048 | 2018-02-08 |
257 | 8 | 2048 | 2019-08-09 |
Which shows gradual accumulation of newer keys, mostly without
retirement of older keys.
--
Viktor.
More information about the dns-operations
mailing list