[dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
-
To: Anne-Marie Eklund-Löwinder <Anne-Marie.Eklund-Lowinder@localhost
-
From: Holger Zuleger <Holger.Zuleger@localhost
-
Date: Thu, 03 Jan 2008 16:54:19 +0100
-
Cc: DNSSEC deployment dnssec-deployment@localhost, dns-wg@localhost
New key signing key (KSK) for .SE
As from today, 2008-01-03 .SE publish and take into use a new KSK for
signing the .SE zone file. The key published with start 2006 with key
id = 17686 is unvalid since 2008-01-01 and will be removed
2008-02-01. You should have configured the key published with start
Would it be possible to set the REVOKE Bit on that key, and announce it
for another 30 days?
Doing so enables a rfc5011 aware validator to discard the key
automatically from the list of possible trust anchor.
Without it, the key ends up in state missing on the validator side.
<quote rfc5011>
Missing This is an abnormal state. The key remains a valid trust-
point key, but was not seen at the resolver in the last
validated DNSKEY RRSet. This is an abnormal state because
the zone operator should be using the REVOKE bit prior to
removal.
</quote>
So setting the revoke bit, would be one step to make the zone more
compatible to RFC5011 (Automated Updates of DNS Security Trust Anchors)
which is a way forward in implementing and using DNSSEC even without a
signed root (and in absence of an elsewere trustable TAR).
BTW: The same is true for all other signed TLDs and the signed zones
managed by RIPE as well.
Greets
Holger
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|
you are here: RIPE -> RIPE Maillists > Archives
