[dns-wg] RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE

I agree it would be unrealistic to set it for a production zone like .se
yet.
However, I like the idea of "exercising" the REVOKE bit so that potential
developers see it.
Would it break anything in BIND resolvers to do so?
If not, id like to set it every time I change KSKs in our demo.


-----Original Message-----
From: DNSSEC deployment [mailto:dnssec-deployment at shinkuro.com] On Behalf Of
Holger Zuleger
Sent: Friday, January 04, 2008 1:11 AM
To: DNSSEC deployment
Cc: Patrik Wallstrom; Anne-Marie.Eklund-Lowinder at iis.se; dns-wg at ripe.net
Subject: Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE -
New key signing key (KSK) for .SE



Patrik Wallstrom wrote:
> On Thu, 03 Jan 2008, Holger Zuleger wrote:
> 
>>> New key signing key (KSK) for .SE 
>>> As from today, 2008-01-03 .SE publish and take into use a new KSK for
>>> signing the .SE zone file. The key published with start 2006 with key
>>> id = 17686 is unvalid since 2008-01-01 and will be removed
>>> 2008-02-01. You should have configured the key published with start
>> Would it be possible to set the REVOKE Bit on that key, and announce it
for 
>> another 30 days?
> 
> There was no time to fix this for this rollover. Next time.
Oh, sure, it's clear that no one want's to add a new functionality on a 
productive service without testing, even if it is just to set one bit.
But I thought that it was a good time to bring rfc5011 in mind...

>> Doing so enables a rfc5011 aware validator to discard the key
automatically 
>> from the list of possible trust anchor.
> 
> Which resolvers honors the revocation bit? To my knowledge, no swedish
> resolver operators are using such software yet.
I think you are right. I guess that actually no one use it.
Small question to all the dnssec operators: Please raise your hand if 
I'm wrong. ;-)
And to the bind guys: Honors bind, used as an dnssec validator, the 
revoke bit?

Holger