[dns-operations] nz DNSSEC KSK rollover - Standby Chain
Felipe Barbosa
felipe at internetnz.net.nz
Tue Aug 6 19:55:53 UTC 2024
Hi all,
The set of 4 maintenance windows was done(the last one was ~2 days ago).
The KSK rollover operation in our standby chain is complete.
@Peter, thanks for the suggestion(especially since we work with the
multi-signer model).
Cheers,
--
Ngā mihi
Felipe Agnelli Barbosa
DNS Specialist
InternetNZ | Ipurangi Aotearoa
We are the home of .nz and we work for an Internet that benefits all of
Aotearoa.
www.internetnz.nz
GPG: 95C1 8BDC EFA7 9CAC 303D 003E A058 2449 D152 8580
On Tue, Jul 9, 2024 at 3:18 AM Peter Thomassen <peter at desec.io> wrote:
> Hi Felipe,
>
> Thank you for sharing your plans.
>
> On 7/9/24 00:34, Felipe Barbosa via dns-operations wrote:
> > The current standby chain key tags for each zone are as follows:
> > nz: 49157, ac.nz <http://ac.nz/>: 5938, co.nz <http://co.nz/>: 59176,
> cri.nz <http://cri.nz/>: 19190, geek.nz <http://geek.nz/>: 7171,
> > gen.nz <http://gen.nz/>: 48574, govt.nz <http://govt.nz/>: 18181,
> health.nz <http://health.nz/>: 33694, iwi.nz <http://iwi.nz/>: 58454,
> > kiwi.nz <http://kiwi.nz/>: 47464, maori.nz <http://maori.nz/>: 21689,
> mil.nz <http://mil.nz/>: 43906, net.nz <http://net.nz/>: 25105, org.nz <
> http://org.nz/>:
> > 24626, parliament.nz <http://parliament.nz/>: 49424, school.nz <
> http://school.nz/>: 27382
>
> Keytags are not a safe way to identify keys, as evidenced by .ru's recent
> incident [1].
>
> Suggesting to share more unique identifiers in the future (e.g., DS
> records), to prevent similar mix-ups.
>
> [1]:
> https://lists.dns-oarc.net/pipermail/dns-operations/2024-January/022406.html
>
> Best,
> Peter
>
> --
> Like our community service? 💛
> Please consider donating at
>
> https://desec.io/
>
> deSEC e.V.
> Kyffhäuserstr. 5
> 10781 Berlin
> Germany
>
> Vorstandsvorsitz: Nils Wisiol
> Registergericht: AG Berlin (Charlottenburg) VR 37525
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240806/4c0065d0/attachment.html>
More information about the dns-operations
mailing list