[Dnssec-deployment] DU(edu)Z spotted
shuque at isc.upenn.edu
Fri Jul 30 09:30:38 EDT 2010
On Fri, Jul 30, 2010 at 02:14:11PM +0100, Chris Thompson wrote:
> On Jul 26 2010, I wrote:
> >That's NSEC3-RSASHA1 with Opt-Out, and scattershotting the NSEC3 records
> >suggests there are 200+ DS records there (all NSEC3 records except that
> >for the apex indicate the presence of a DS record). If those are genuine,
> >it would be an impressive number when the zone goes DNSSEC-live, but I
> >have my suspicions that they may be faked. I haven't yet found a known
> >"edu" SLD that has a DS record there.
> Things have moved on. "edu" has had real DNSKEY records for several days,
> and today it (as well as "dk") has DS records in the root zone.
> They are still using NSEC3-RSASHA1 with Opt-Out. Also interesting is that
> the public key exponents are 3 (for both KSK and ZSK) rather than the now
> common 65537. Everyone got paranoid about using 3 because of the OpenSSL
> library validation bug, but maybe it's time to lose the paranoia now?
> I would still be interested to know of any real "edu" SLD with a DS record.
There are a few:
We started off with penn.edu. Our primary production domain is
upenn.edu, and I'm not quite brave enough to pull the trigger
on that one yet -- but hopefully next week. Berkeley did the
University of Pennsylvania.
More information about the Dnssec-deployment