[dns-operations] Someone from Cloudflare here?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Oct 27 04:24:35 UTC 2020
On Mon, Oct 26, 2020 at 10:08:31PM -0400, Viktor Dukhovni wrote:
> qname | flags | alg | stime | etime | kid
> ---------------+-------+-----+------------+------------+------------
> agrilinks.org | 257 | 8 | 2018-07-29 | 2020-07-22 | 26428972
> agrilinks.org | 257 | 13 | 2020-07-22 | | 486
> [...]
> agrilinks.org | 256 | 8 | 2020-07-11 | 2020-07-22 | 4024196652
> agrilinks.org | 256 | 13 | 2020-07-22 | | 29460111
>
> The rather low KSK (key row id) ("kid") of 486, is due to the fact that
> the P256 key in question has been in use as a KSK over the last ~3 years
> by ~262,991 distinct domains and is still in use by ~206,413 of them.
I might note that my "kid" 29460111 is also shared by many domains
(presently at least 251,300) and has been in use for over two years.
So it appears that domains using this KSK and ZSK (likely stored in
hardened HSMs, ...) tend to keep using them long-term. It looks
therefore like your domain was migrated to Cloudflare back in July,
but lack of ZSK rollovers since is not immediately indicative of any
latent issue.
What's more, it seems to now have a valid signature, so it looks like
you reached the right folks via some channel or other.
agrilinks.org. IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
agrilinks.org. IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
agrilinks.org. IN RRSIG DNSKEY 13 2 3600 20201126034731 20200927034731 2371 agrilinks.org. yjY9OSOLtMViN8ZYL/J0uaUGzTtJcHoyzP5WhMXIXqqF99YONh4AkmL0D1kOBkWKFnwqseU8vFbME8BmigQRxA==
--
Viktor.
More information about the dns-operations
mailing list