"Florian Weimer" wrote in message
news:gdqfih$l14$1@sf1.isc.org...
> * Vinny Abello:
>
> > I've got two recursive DNS servers running on FreeBSD 7.0 each with
> > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.
>
> The annual key rollover for dlv.isc.org happened 30 days ago, and the
> transition period is now over. You probably failed to perform that
> rollover.


I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that
tells us that there is a periodic rollover of the key-signing-key for the
DLV. I expect that the zone-signing-key ("256") and ONLY that key will be
changed every month. The key-signing-key shouldn't be changed very often
(if at all). Remember that this is a transitional mechanism that should
only be in place for a short number of years.

If isc.org is going to change it annually or so, fine, but then let them
publish about 4 key-signing-keys, even if only one is actively used. That
would be 4 years worth of keys, which should be enough to cover 4+ years -
long enough for ICANN to get off their asses and sign the root zone.


Might using the wrong key-signing-key as a trusted key be the cause of the
assertion failure I reported in a separate thread?

On Oct 24 2008, D. Stussy wrote, re the dlv.isc.org KSK,

>If isc.org is going to change it annually or so, fine, but then let them
>publish about 4 key-signing-keys, even if only one is actively used. That
>would be 4 years worth of keys, which should be enough to cover 4+ years -
>long enough for ICANN to get off their asses and sign the root zone.

This doesn't make much (I am inclined to say "any") sense. Publishing the
keys subjects them to attack, whether they are used for signing or not.
The whole point of changing the keys regularly is to limit the time they
are exposed to such attack.

Also, 4 years is a long time in cryptographic techniques. Who is to say,
for example, whether a 2048-bit KSK will still be adequate after that long?

--
Chris Thompson
Email: cet1@cam.ac.uk