About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[dns-wg] DNSSEC trust anchors for unsigned zones

  • To: disi@localhost
  • From: Alexander Gall gall@localhost
  • Date: Wed, 30 Jan 2008 11:34:33 +0100
Hi

The current set of trust anchors distributed by RIPE NCC
(<https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt>)
includes the domains 

disi.nl
example.net
pwei.net

None of these currently have any DNSSEC resource records (i.e. they
are insecure), which effectively brakes those zones for everybody who
uses that particular set of trust anchors.

I guess this shows one of the operational problems with trust anchor
management.  These zones are not maintained by RIPE NCC itself and the
administrators probably didn't bother to tell them that they've
disabled DNSSEC (if they know or remember at all that their keys are
distributed by a third party).  I guess it would be more prudent for
RIPE NCC to only distribute the keys for their own zones (those listed
on <https://www.ripe.net/projects/disi//keys/>).

-- 
Alex
Post To The List:

Replies

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community