[dns-operations] TLD .law - non-signing KSK with referenced DS

[Matthew Richardson]

At Mon, 17 Jan 2022 09:09:42 +0100, Alexander Mayrhofer
<alexander.mayrhofer at nic.at> wrote:-

>> Yes, the non-signing KSK could be offline disaster recovery key. There’s
>> nothing wrong about having more keys in DS than used because the change
>> process for DS is more complicated than swapping the active key in the zone.
>
>[AM] I can second what Ondrej has written. We (.at) do have an identical setup
>with an (additional) emergency key that's in the root zone, but not used under
>normal operational circumstances to sign the zone. The management of that
>disaster recovery key is completely disjunct from our "main" key. 

Looking at .at in Zonemaster:-

https://www.zonemaster.fr/result/586829d6f4b5882d

it reports:-

DNSSEC
ERROR
The DNSKEY RRset is not signed by the DNSKEY with tag 19294 that the the DS
record refers to. Fetched from the nameservers with IP "185.102.12.2;
192.92.125.2; 194.0.10.100; 194.0.25.10; 194.146.106.50;
2001:628:2030:4301::2; 2001:678:1c::2; 2001:678:20::10; 2001:678:d::cafe;
2001:67c:1010:12::53; 2a02:568:281::130; 2a02:850:ffff::2; 78.104.144.2;
81.91.173.130".

Given that having a standby key is a standard (and probably good!)
practice, should Zonemaster perhaps classify this as less of a problem,
maybe as a "warning"?

Obviously there needs to be at least one KSK signing the DNSKEYs...

Best wishes,
Matthew