[dns-operations] CO.ZA and ZA surprising number of DNSKEYs (Viktor Dukhovni)

Calvin Browne calvin at orange-tree.alt.za
Mon Sep 2 06:42:55 UTC 2019


Ok - we're moving between signers.... so yeah expected.


--Calvin

On 2019/09/02 08:40, Calvin Browne wrote:
>
> Nudging someone on this.
>
>
> --Calvin
>
>> Message: 1
>> Date: Sun, 1 Sep 2019 05:03:40 -0400
>> From: Viktor Dukhovni <ietf-dane at dukhovni.org>
>> To: dns-operations at dns-oarc.net
>> Subject: [dns-operations] CO.ZA and ZA surprising number of DNSKEYs
>> Message-ID: <20190901090340.GA70599 at straasha.imrryr.org>
>> Content-Type: text/plain; charset=us-ascii
>>
>> While looking at an issue with a specific .co.za delegation,
>> I noticed that .co.za and .za have a surprisingly large
>> number of KSKs and ZSKs:
>>
>>     http://imrryr.org/~viktor/dnsviz/co.za.d/co.za.html
>>
>>      .ZA: 5 RSASHA256 KSKs and 6 ZSKs:
>>
>>     za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id 
>> = 11615 (active, DS in parent)
>>     za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id 
>> = 40184 (active, DS in parent)
>>     za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id 
>> = 54052 (inactive, DS in parent)
>>     za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id 
>> = 45749 (inactive)
>>     za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key id 
>> = 8471  (inactive)
>>     ;
>>     za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id 
>> = 17146 (active)
>>     za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id 
>> = 3289  (inactive)
>>     za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id 
>> = 28153 (inactive)
>>     za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id 
>> = 55018 (inactive)
>>     za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id 
>> = 60805 (inactive)
>>     za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key id 
>> = 38470 (inactive)
>>
>>      .CO.ZA: 3 RSASHA256 KSKs and 4 ZSKs:
>>
>>     co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key 
>> id = 6827 (active, DS in parent)
>>     co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key 
>> id = 63277 (active)
>>     co.za. DNSKEY 257 3 8 <2048-bit RSA> ; KSK; alg = RSASHA256 ; key 
>> id = 28207 (inactive)
>>     ;
>>     co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key 
>> id = 33723 (active)
>>     co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key 
>> id = 40501 (inactive)
>>     co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key 
>> id = 18216 (inactive)
>>     co.za. DNSKEY 256 3 8 <1024-bit RSA> ; ZSK; alg = RSASHA256 ; key 
>> id = 61704 (inactive)
>>
>> Is this expected?  The signed DNSKEY response for .ZA is 2879 bytes!
>> To me, it looks like neglected cleanup of stale keys...
>>



More information about the dns-operations mailing list