[Dnssec-deployment] root key - getting close
Casey Deccio
casey at deccio.net
Wed Jun 2 10:48:16 EDT 2010
On Wed, Jun 2, 2010 at 3:14 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:
> On Jun 2 2010, Casey Deccio wrote:
>
>
> But the DNSKEY RRset is signed with the following:
>>
>> 1112
>> 55138
>> 19452
>>
>> I don't see a signature with 55138 (the obscured ZSK) at all:
>
>
Yes, you're right. 55138 was not actually referenced in the signatures of
the DNSKEY RRset. I read incorrectly the output of the tool I was using. I
asked for all signatures of name ".", but I didn't filter by DNSKEY type, so
it included the signature of the SOA RR.
But of the course the other issue of the "revoked" key not being self-signed
still holds, possible related to the "obscuring" as you mentioned.
Casey
The obscuring of the revoked KSK seems to have mucked things up:
> I suspect the key id was meant to remain 19452, but maybe their
> obscuring tool (which is meant to preserve key id) doesn't work
> properly with revoked DNSKEY records? It's possibly significant
> that adding the revoked (0x0080) bit to the flags increases the
> id by either 128 or 129 (see RFC 4034 Appendix B) and we have seen an
> increase by 128 and then another by 129.
>
> Is anyone from ICANN or Verisign able to comment?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100602/1555ed4c/attachment.html
More information about the Dnssec-deployment
mailing list