[dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
-
To: Patrik Wallstrom pawal@localhost
-
From: Holger Zuleger <Holger.Zuleger@localhost
-
Date: Fri, 04 Jan 2008 10:11:28 +0100
-
Cc: DNSSEC deployment dnssec-deployment@localhost, Anne-Marie.Eklund-Lowinder@localhost, dns-wg@localhost
Patrik Wallstrom wrote:
On Thu, 03 Jan 2008, Holger Zuleger wrote:
New key signing key (KSK) for .SE
As from today, 2008-01-03 .SE publish and take into use a new KSK for
signing the .SE zone file. The key published with start 2006 with key
id = 17686 is unvalid since 2008-01-01 and will be removed
2008-02-01. You should have configured the key published with start
Would it be possible to set the REVOKE Bit on that key, and announce it for
another 30 days?
There was no time to fix this for this rollover. Next time.
Oh, sure, it's clear that no one want's to add a new functionality on a
productive service without testing, even if it is just to set one bit.
But I thought that it was a good time to bring rfc5011 in mind...
Doing so enables a rfc5011 aware validator to discard the key automatically
from the list of possible trust anchor.
Which resolvers honors the revocation bit? To my knowledge, no swedish
resolver operators are using such software yet.
I think you are right. I guess that actually no one use it.
Small question to all the dnssec operators: Please raise your hand if
I'm wrong. ;-)
And to the bind guys: Honors bind, used as an dnssec validator, the
revoke bit?
Holger
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|
you are here: RIPE -> RIPE Maillists > Archives
