This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
- Next message (by thread): [dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Holger Zuleger
Holger.Zuleger at hznet.de
Thu Jan 3 16:54:19 CET 2008
> New key signing key (KSK) for .SE > > As from today, 2008-01-03 .SE publish and take into use a new KSK for > signing the .SE zone file. The key published with start 2006 with key > id = 17686 is unvalid since 2008-01-01 and will be removed > 2008-02-01. You should have configured the key published with start Would it be possible to set the REVOKE Bit on that key, and announce it for another 30 days? Doing so enables a rfc5011 aware validator to discard the key automatically from the list of possible trust anchor. Without it, the key ends up in state missing on the validator side. <quote rfc5011> Missing This is an abnormal state. The key remains a valid trust- point key, but was not seen at the resolver in the last validated DNSKEY RRSet. This is an abnormal state because the zone operator should be using the REVOKE bit prior to removal. </quote> So setting the revoke bit, would be one step to make the zone more compatible to RFC5011 (Automated Updates of DNS Security Trust Anchors) which is a way forward in implementing and using DNSSEC even without a signed root (and in absence of an elsewere trustable TAR). BTW: The same is true for all other signed TLDs and the signed zones managed by RIPE as well. Greets Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4870 bytes Desc: S/MIME Cryptographic Signature URL: </ripe/mail/archives/dns-wg/attachments/20080103/6509c367/attachment.bin>
- Next message (by thread): [dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]