At Mon, 17 Jan 2022 09:09:42 +0100, Alexander Mayrhofer <[email protected]> wrote:-
>> Yes, the non-signing KSK could be offline disaster recovery key. Theres >> nothing wrong about having more keys in DS than used because the change >> process for DS is more complicated than swapping the active key in the zone. > >[AM] I can second what Ondrej has written. We (.at) do have an identical setup >with an (additional) emergency key that's in the root zone, but not used under >normal operational circumstances to sign the zone. The management of that >disaster recovery key is completely disjunct from our "main" key. Looking at .at in Zonemaster:- https://www.zonemaster.fr/result/586829d6f4b5882d it reports:- DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with tag 19294 that the the DS record refers to. Fetched from the nameservers with IP "185.102.12.2; 192.92.125.2; 194.0.10.100; 194.0.25.10; 194.146.106.50; 2001:628:2030:4301::2; 2001:678:1c::2; 2001:678:20::10; 2001:678:d::cafe; 2001:67c:1010:12::53; 2a02:568:281::130; 2a02:850:ffff::2; 78.104.144.2; 81.91.173.130". Given that having a standby key is a standard (and probably good!) practice, should Zonemaster perhaps classify this as less of a problem, maybe as a "warning"? Obviously there needs to be at least one KSK signing the DNSKEYs... Best wishes, Matthew _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
