RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE
On Thu, 03 Jan 2008, Holger Zuleger wrote:
New key signing key (KSK) for .SE As from today, 2008-01-03 .SE publish and take into use a new KSK for signing the .SE zone file. The key published with start 2006 with key id = 17686 is unvalid since 2008-01-01 and will be removed 2008-02-01. You should have configured the key published with start Would it be possible to set the REVOKE Bit on that key, and announce it for another 30 days?
There was no time to fix this for this rollover. Next time. Oh, sure, it's clear that no one want's to add a new functionality on a
I agree it would be unrealistic to set it for a production zone like .se yet. However, I like the idea of "exercising" the REVOKE bit so that potential developers see it. Would it break anything in BIND resolvers to do so? If not, id like to set it every time I change KSKs in our demo. -----Original Message----- From: DNSSEC deployment [mailto:dnssec-deployment@shinkuro.com] On Behalf Of Holger Zuleger Sent: Friday, January 04, 2008 1:11 AM To: DNSSEC deployment Cc: Patrik Wallstrom; Anne-Marie.Eklund-Lowinder@iis.se; dns-wg@ripe.net Subject: Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE Patrik Wallstrom wrote: productive service without testing, even if it is just to set one bit. But I thought that it was a good time to bring rfc5011 in mind...
Doing so enables a rfc5011 aware validator to discard the key automatically from the list of possible trust anchor.
Which resolvers honors the revocation bit? To my knowledge, no swedish resolver operators are using such software yet. I think you are right. I guess that actually no one use it. Small question to all the dnssec operators: Please raise your hand if I'm wrong. ;-) And to the bind guys: Honors bind, used as an dnssec validator, the revoke bit?
Holger
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As a developer I have a question about revoke bits. In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign (A+B+C) or does the signature from A only sign A? Signing more than simply A is nonsense, since the key is revoked. And aids storing a presigned-self-revocation for emergency use. However, that is not standard for RRset signatures. Do signatures from B and C sign (A+B+C) or (B+C) ? How do revoke bit signatures work? Best regards, ~ Wouter richard.lamb wrote: | I agree it would be unrealistic to set it for a production zone like .se | yet. | However, I like the idea of "exercising" the REVOKE bit so that potential | developers see it. | Would it break anything in BIND resolvers to do so? | If not, id like to set it every time I change KSKs in our demo. | | | -----Original Message----- | From: DNSSEC deployment [mailto:dnssec-deployment@shinkuro.com] On Behalf Of | Holger Zuleger | Sent: Friday, January 04, 2008 1:11 AM | To: DNSSEC deployment | Cc: Patrik Wallstrom; Anne-Marie.Eklund-Lowinder@iis.se; dns-wg@ripe.net | Subject: Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - | New key signing key (KSK) for .SE | | | | Patrik Wallstrom wrote: |> On Thu, 03 Jan 2008, Holger Zuleger wrote: |> |>>> New key signing key (KSK) for .SE |>>> As from today, 2008-01-03 .SE publish and take into use a new KSK for |>>> signing the .SE zone file. The key published with start 2006 with key |>>> id = 17686 is unvalid since 2008-01-01 and will be removed |>>> 2008-02-01. You should have configured the key published with start |>> Would it be possible to set the REVOKE Bit on that key, and announce it | for |>> another 30 days? |> There was no time to fix this for this rollover. Next time. | Oh, sure, it's clear that no one want's to add a new functionality on a | productive service without testing, even if it is just to set one bit. | But I thought that it was a good time to bring rfc5011 in mind... | |>> Doing so enables a rfc5011 aware validator to discard the key | automatically |>> from the list of possible trust anchor. |> Which resolvers honors the revocation bit? To my knowledge, no swedish |> resolver operators are using such software yet. | I think you are right. I guess that actually no one use it. | Small question to all the dnssec operators: Please raise your hand if | I'm wrong. ;-) | And to the bind guys: Honors bind, used as an dnssec validator, the | revoke bit? | | Holger | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHggg+kDLqNwOhpPgRAuHwAJ4ow2e4qwnt7Yb/eDk03VyHBS3ELQCfeciD UJgy2s63Chz9Jw9YQGgYSRs= =62zO -----END PGP SIGNATURE-----
participants (2)
-
richard.lamb -
Wouter Wijngaards