[dns-operations] [Ext] CO.ZA and ZA surprising number of DNSKEYs

Edward Lewis edward.lewis at icann.org
Mon Sep 2 03:21:45 UTC 2019

On 9/1/19, 5:11 PM, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:

>    Is this expected?

"Surprising" is in the eyes of beholder...

Have you tried to contact the operator directly?  This doesn't always work [at times I've tried others to no avail], but if it does work, that approach may be more effective than asking a mailing list.  (Sorry, standard knee-jerk response to open questions about an operator's work.).
Over the years there have been many larger-than-one-would-except key sets.  At times, the operator in question would fall-over.  But I've never seen any link between keyset size and fall-overs.  (And I have looked for links.). Not that this condones large set sizes, but the urgency to fix has never been proven.

FWIW, here are my observations of the keys for the subject TLD.  First saw a signed SOA on December 8, 2016.  (Dates may be off by one day due to rounding of time and time zones, etc.)

DNSKEY-SEP  2016-12-08 => CURRENT keyid 08471
DNSKEY-SEP  2016-12-08 => CURRENT keyid 40184
DNSKEY-SEP  2017-03-07 => CURRENT keyid 11615
DNSKEY-SEP  2018-02-01 => CURRENT keyid 54052
DNSKEY-SEP  2019-08-09 => CURRENT keyid 45749
DNSKEY-ZONE 2016-12-08 => 2017-01-03 keyid 47905
DNSKEY-ZONE 2016-12-08 => 2017-05-08 keyid 50566
DNSKEY-ZONE 2016-12-08 => CURRENT keyid 55018
DNSKEY-ZONE 2017-03-31 => 2018-01-16 keyid 19285
DNSKEY-ZONE 2017-07-14 => CURRENT keyid 28153
DNSKEY-ZONE 2018-01-24 => CURRENT keyid 17146
DNSKEY-ZONE 2018-02-01 => CURRENT keyid 38470
DNSKEY-ZONE 2018-06-09 => CURRENT keyid 03289
DNSKEY-ZONE 2019-08-09 => CURRENT keyid 60805

(CURRENT is 01 Sept 2019 per UTC, last processed observation set)

I can't say that I see a pattern [like always introducing a key on 1st of a month, quarter, etc.] that meets up with what I'd expect to see from an automated (cron'd) process, leading me to suspect manual interventions.

More information about the dns-operations mailing list