Which is basically what we, EURid for .eu, do. Example : DNSKEY "operations" and usage during the month of may
domain "eu." on 2011-05-01 serial : 1003539565 ksks : 61179 DS zsks : 19700, 57368 RRSIG domain "eu." on 2011-05-03 signing with keyid 19700 serial : 1003545434 ksks : 61179 DS zsks : 19700 RRSIG, 57368 RRSIG domain "eu." on 2011-05-12 no longer signing with keyid 57368 serial : 1003578276 ksks : 61179 DS zsks : 19700 RRSIG, 57368 domain "eu." on 2011-05-20 zsk 57368 - removed DNSKEY from zone serial : 1003606818 ksks : 61179 DS zsks : 19700 RRSIG domain "eu." on 2011-05-24 zsk 34553 - added DNSKEY to zone serial : 1003620223 ksks : 61179 DS zsks : 19700 RRSIG, 34553 domain "eu." on 2011-05-31 signing with keyid 34553 serial : 1003644472 ksks : 61179 DS zsks : 19700 RRSIG, 34553 RRSIG In addition : On the network management server, scripts were added that do check validity of published signatures. Getting "too close" to end-of-validity is one of the triggers to send alerts. Kind regards, Marc Lampo Security Officer EURid -----Original Message----- From: Paul Hoffman [mailto:[email protected]] Sent: 02 June 2011 05:43 PM To: Joe Abley Cc: IETF DNSOP WG Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign Another thought is to simply keep a detailed history and watch the replacements. For each zone, you should be able to determine what their normal renewal buffer is. You would only need to be concerned about those that get too close to the edge from their normal operations. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
