[dns-operations] TLD .law - non-signing KSK with referenced DS
Matthew Richardson
matthew-l at itconsult.co.uk
Mon Jan 17 10:00:06 UTC 2022
At Mon, 17 Jan 2022 09:09:42 +0100, Alexander Mayrhofer
<alexander.mayrhofer at nic.at> wrote:-
>> Yes, the non-signing KSK could be offline disaster recovery key. Theres
>> nothing wrong about having more keys in DS than used because the change
>> process for DS is more complicated than swapping the active key in the zone.
>
>[AM] I can second what Ondrej has written. We (.at) do have an identical setup
>with an (additional) emergency key that's in the root zone, but not used under
>normal operational circumstances to sign the zone. The management of that
>disaster recovery key is completely disjunct from our "main" key.
Looking at .at in Zonemaster:-
https://www.zonemaster.fr/result/586829d6f4b5882d
it reports:-
DNSSEC
ERROR
The DNSKEY RRset is not signed by the DNSKEY with tag 19294 that the the DS
record refers to. Fetched from the nameservers with IP "185.102.12.2;
192.92.125.2; 194.0.10.100; 194.0.25.10; 194.146.106.50;
2001:628:2030:4301::2; 2001:678:1c::2; 2001:678:20::10; 2001:678:d::cafe;
2001:67c:1010:12::53; 2a02:568:281::130; 2a02:850:ffff::2; 78.104.144.2;
81.91.173.130".
Given that having a standby key is a standard (and probably good!)
practice, should Zonemaster perhaps classify this as less of a problem,
maybe as a "warning"?
Obviously there needs to be at least one KSK signing the DNSKEYs...
Best wishes,
Matthew
More information about the dns-operations
mailing list