[Dnssec-deployment] DU(edu)Z spotted

Chris Thompson cet1 at cam.ac.uk
Fri Jul 30 09:14:11 EDT 2010

On Jul 26 2010, I wrote:

>That's NSEC3-RSASHA1 with Opt-Out, and scattershotting the NSEC3 records
>suggests there are 200+ DS records there (all NSEC3 records except that
>for the apex indicate the presence of a DS record). If those are genuine,
>it would be an impressive number when the zone goes DNSSEC-live, but I
>have my suspicions that they may be faked. I haven't yet found a known
>"edu" SLD that has a DS record there.

Things have moved on. "edu" has had real DNSKEY records for several days,
and today it (as well as "dk") has DS records in the root zone.

They are still using NSEC3-RSASHA1 with Opt-Out. Also interesting is that
the public key exponents are 3 (for both KSK and ZSK) rather than the now
common 65537. Everyone got paranoid about using 3 because of the OpenSSL
library validation bug, but maybe it's time to lose the paranoia now?

I would still be interested to know of any real "edu" SLD with a DS record.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the Dnssec-deployment mailing list