[dns-operations] CO.ZA and ZA surprising number of DNSKEYs (Viktor Dukhovni)

Calvin Browne calvin at orange-tree.alt.za
Mon Sep 2 06:40:23 UTC 2019


Nudging someone on this.


--Calvin

> Message: 1
> Date: Sun, 1 Sep 2019 05:03:40 -0400
> From: Viktor Dukhovni <ietf-dane at dukhovni.org>
> To: dns-operations at dns-oarc.net
> Subject: [dns-operations] CO.ZA and ZA surprising number of DNSKEYs
> Message-ID: <20190901090340.GA70599 at straasha.imrryr.org>
> Content-Type: text/plain; charset=us-ascii
>
> While looking at an issue with a specific .co.za delegation,
> I noticed that .co.za and .za have a surprisingly large
> number of KSKs and ZSKs:
>
> 	http://imrryr.org/~viktor/dnsviz/co.za.d/co.za.html
>
>      .ZA: 5 RSASHA256 KSKs and 6 ZSKs:
>
> 	za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 11615 (active, DS in parent)
> 	za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 40184 (active, DS in parent)
> 	za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 54052 (inactive, DS in parent)
> 	za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 45749 (inactive)
> 	za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 8471  (inactive)
> 	;
> 	za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 17146 (active)
> 	za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 3289  (inactive)
> 	za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 28153 (inactive)
> 	za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 55018 (inactive)
> 	za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 60805 (inactive)
> 	za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 38470 (inactive)
>
>      .CO.ZA: 3 RSASHA256 KSKs and 4 ZSKs:
>
> 	co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 6827 (active, DS in parent)
> 	co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 63277 (active)
> 	co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id = 28207 (inactive)
> 	;
> 	co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 33723 (active)
> 	co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 40501 (inactive)
> 	co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 18216 (inactive)
> 	co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id = 61704 (inactive)
>
> Is this expected?  The signed DNSKEY response for .ZA is 2879 bytes!
> To me, it looks like neglected cleanup of stale keys...
>



More information about the dns-operations mailing list