[Dnssec-deployment] root key - getting close

Casey Deccio casey at deccio.net
Tue Jun 1 23:33:58 EDT 2010


On Tue, Jun 1, 2010 at 6:26 AM, Paul Wouters <paul at xelerance.com> wrote:

>
> I guess we're really almost there.
>
> "." 385 3 8
> "AwEAAeuXBrrPbYGLRFHfpegmd7ql2NUDUKErmNr8K8+sB5MQsD5VBg/SKaqbr7nhw9UutuewqpCoBx2gDJa0t/1co5tlMNNhaLmYKQ4IpOv3pQ6JaK5cnGhokrh4rOMohAnyXjV0FmaIdUHG5G4B6GdiYEkb7merDiM5sFij0Hf+XqFJ89qE+TZJYW46o7fEGya0tK/MgiUVMzGwyqsLK24jFU/1G+D6KyAfxGKpASPhvFa/LG5hjisEICfyEzHBAzcRPL4LKUvhXmxXgXgre41J0mhDI2hR7oB6pLfuaKE7TN7VoxMvSWqoh0ej7cjVRBvovlW7VvhdXPxFtFV7osAoyLc=";
> // key id = 19452
>
>
So, I'm curious.  The root zone currently shows three DNSKEY RRs:

1112
55138
19581 (with revoke bit set; id without revoke bit is 19453)

But the DNSKEY RRset is signed with the following:

1112
55138
19452

Is this intentional, or perhaps my analysis is wrong?  The third signature
doesn't align with any existing DNSKEY, and the revoked key is technically
not "revoked" since there is no self-signature.

Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100601/3ae3a4e3/attachment.html 


More information about the Dnssec-deployment mailing list