[Dnssec-deployment] root key - getting close
Chris Thompson
cet1 at cam.ac.uk
Wed Jun 2 06:14:40 EDT 2010
On Jun 2 2010, Casey Deccio wrote:
>On Tue, Jun 1, 2010 at 6:26 AM, Paul Wouters <paul at xelerance.com> wrote:
>
>>
>> I guess we're really almost there.
>>
>> "." 385 3 8
>> "AwEAAeuXBrrPbYGLRFHfpegmd7ql2NUDUKErmNr8K8+sB5MQsD5VBg/SKaqbr7nhw9UutuewqpCoBx2gDJa0t/1co5tlMNNhaLmYKQ4IpOv3pQ6JaK5cnGhokrh4rOMohAnyXjV0FmaIdUHG5G4B6GdiYEkb7merDiM5sFij0Hf+XqFJ89qE+TZJYW46o7fEGya0tK/MgiUVMzGwyqsLK24jFU/1G+D6KyAfxGKpASPhvFa/LG5hjisEICfyEzHBAzcRPL4LKUvhXmxXgXgre41J0mhDI2hR7oB6pLfuaKE7TN7VoxMvSWqoh0ej7cjVRBvovlW7VvhdXPxFtFV7osAoyLc=";
>> // key id = 19452
>>
>>
>So, I'm curious. The root zone currently shows three DNSKEY RRs:
>
>1112
>55138
>19581 (with revoke bit set; id without revoke bit is 19453)
This has changed since yesterday - the revoked key is now obscured.
>But the DNSKEY RRset is signed with the following:
>
>1112
>55138
>19452
>
>Is this intentional, or perhaps my analysis is wrong? The third signature
>doesn't align with any existing DNSKEY, and the revoked key is technically
>not "revoked" since there is no self-signature.
I don't see a signature with 55138 (the obscured ZSK) at all:
$ dig +dnssec +multi +vc +noall +answer dnskey . @a.root-servers.net
. 86400 IN DNSKEY 385 3 8 (
AwEAAayCe++++++++++++++++THIS/IS/AN/INVALID/
KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/
AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++8=
) ; key id = 19581
. 86400 IN DNSKEY 256 3 8 (
AwEAAavbA++++++++++++++++THIS/IS/AN/INVALID/
KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/
AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++++++
+++++++++++++++++++++++++++++++++++++++++++8
) ; key id = 55138
. 86400 IN DNSKEY 257 3 8 (
AwEAAazdM++++++++++++++++THIS/IS/AN/INVALID/
KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/
AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++8=
) ; key id = 1112
. 86400 IN RRSIG DNSKEY 8 0 86400 20100614235959 (
20100531000000 1112 .
sDbQ6NTGP3uQJf5SMM8YX66YpVHcUH9dT82SRMmocwyk
+KEp93DondlSC0yYJopBm1AKR3lxHQxWnrND1SeLC5/6
qU8IVEE7yFrYiwBE5jJjeGjYnUT+CHcIZ9HHW6Y/ouxQ
UJhg/rLBNrcRzQtps1Kmjwx/Df+r4rrFmNdwR3B9wO4H
uqLCqnvwUCLHrAZE91kqebzlNMPKFmDdg+xLl54gV0qD
BNEQtCeGb+pEx6EhE0116XAR31PMlUKuSaWhJirCETa1
Q561e2qVex/K3XviqZrtV945XgEBGDt2pNc2uTrlZBKU
jUWLQ36on7jHvljZ4yRIIOpRYszPEtVk0Q== )
. 86400 IN RRSIG DNSKEY 8 0 86400 20100614235959 (
20100531000000 19452 .
SClm7MFReawTbR8QvIE8KooxLWAtBm0SAmd2HHZWJNte
jENMNjPsgGXQKT9IMIih6ykIg8jkGmYL6ecZx9j3+XOm
Gyh6KzycqoijJ26qMGaZEh+Pk4CW9NmQla26TriqB4wG
XWXo4FrA11p2qFHtPtXuBNfQE21eGjqPAWb0VdlAnmsx
R+ucplAEU7mv2hJagTUOKbW84r1maqeFcV5rkYZQXXoq
HUROeoxAUEy8aPkuNm+wFwJoa/NMf+ZJBpieV5lFsLiH
IIQEXgBo/cYcUt4gMEBBilL0YwNdZXRG+XIbRLzm29ax
ZhiRw2HABZKEqICcIfM4iJvaayC9xv1trg== )
The obscuring of the revoked KSK seems to have mucked things up:
I suspect the key id was meant to remain 19452, but maybe their
obscuring tool (which is meant to preserve key id) doesn't work
properly with revoked DNSKEY records? It's possibly significant
that adding the revoked (0x0080) bit to the flags increases the
id by either 128 or 129 (see RFC 4034 Appendix B) and we have
seen an increase by 128 and then another by 129.
Is anyone from ICANN or Verisign able to comment?
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the Dnssec-deployment
mailing list