[dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE

> New key signing key (KSK) for .SE 
> 
> As from today, 2008-01-03 .SE publish and take into use a new KSK for
> signing the .SE zone file. The key published with start 2006 with key
> id = 17686 is unvalid since 2008-01-01 and will be removed
> 2008-02-01. You should have configured the key published with start
Would it be possible to set the REVOKE Bit on that key, and announce it 
for another 30 days?
Doing so enables a rfc5011 aware validator to discard the key 
automatically from the list of possible trust anchor.
Without it, the key ends up in state missing on the validator side.

<quote rfc5011>
     Missing  This is an abnormal state.  The key remains a valid trust-
              point key, but was not seen at the resolver in the last
              validated DNSKEY RRSet.  This is an abnormal state because
              the zone operator should be using the REVOKE bit prior to
              removal.
</quote>

So setting the revoke bit, would be one step to make the zone more 
compatible to RFC5011 (Automated Updates of DNS Security Trust Anchors) 
which is a way forward in implementing and using DNSSEC even without a 
signed root (and in absence of an elsewere trustable TAR).

BTW: The same is true for all other signed TLDs and the signed zones 
managed by RIPE as well.

Greets
  Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4870 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20080103/6509c367/attachment.bin>