Answering my own question...relooking at my data, I see two TLD operators (running a total of 4 zones) revoking KSK's on a regular basis.
On 5/31/17, 15:44, "Edward Lewis" <[email protected]> wrote: Coming late to this thread, I have a question. How many operational instances of "Automated Updates" [RFC 5011] are there? Besides the root zone KSK, I don't know of any. I do some monitoring of DNSSEC practices, years ago I noticed one TLD appearing to follow RFC 5011's semantics. But in recent looks that TLD seems to have abandoned the practice (I've never made contact to confirm). In a scan of second-level names a month ago, I found only traces of revoked keys (KSK and ZSK!). I ask because of the issues raised in the thread regarding the number of keys assumed in the operation. Automated Updates apparently (to me) was defined with more than one active secure entry point in mind, but in practice, the only operating example I've witnessed of Automated Updates relies on a single active secure entry point. I've asked around (tool developers) and, so far, no other examples have popped up. I'm sure there are some out there.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
