[dns-operations] [DNSSEC] Venezuela ccTLD broken

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jul 20 14:29:23 UTC 2023

On Thu, Jul 20, 2023 at 07:25:17AM -0400, Hugo Salgado wrote:

> They are aware and working on this. Thanks!

The final working state is still somewhat suboptimal:

- The KSKs are 4096 bit RSA.  This is pointless, the DS RRset from
  the root is signed with a 2048-bit RSA key.  The additional bits
  are just packet size and computational bloat.

- The ZSK need not (and so in practice should not) also sign the DNSKEY
  RRset, just the KSK signatures are sufficient.

Finally, for the RSAC (yes not the right forum to formally lodge the
question), should the root zone DS TTL still be 1 day?  Would a change
to one hour be acceptable (aligning with it with the practice of many
TLDs and aiding in more time recovery from mistakes)?


More information about the dns-operations mailing list