[Dnssec-deployment] Many KSKs for .museum?
Klaus Malorny
Klaus.Malorny at knipp.de
Wed Jun 23 09:56:51 EDT 2010
>> Does anyone know why .museum added 5 KSK's and one revoked KSK? Is
>> there some
>> testing happening?
>
> Maybe it's a new exhibit of KSKs through history. ("See, Oscar? That's
> what keys used to be like when *I* was a boy.")
>
>
> Joe
Hi Joe,
can you explain why you are so amused?
The .museum zone is currently operated using the RFC 5011 standard. As such, new
keys are being introduced (AddPending state). If the zone contains too many keys
in the Valid state and no rollover is being triggered, the oldest Valid keys are
being phased out and enter the Revoke state.
The reason why these keys (including the revoked one) suddenly appear in the
public is that the signing process has been reorganized recently, and the new
key management was already running quite a while when the switchover took place.
So from my perspective, I don't see any reason for complaints.
By the way: The mode of operation will change as soon as the domain's DS record
has been added to the root zone.
Regards
Klaus,
on behalf of CORE, the operator of the .museum zone
More information about the Dnssec-deployment
mailing list