The overall problem of using old root keys will persist (and eventually I think DNSSEC resolvers need to refuse ZSKs for . and tlds that are less than 2048b in length, or barring that, need to add a clock ratchet to keep old keys from being reused).
But fixing this going forward requires a 1-line change in the ZSK script: -b 2048 That's it. Since the KSKs are already 2048b, and therefore there are appropriate RRSIGs, its clear that the server side is set up to handle real key lengths. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
