Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt

Edward Lewis <> Wed, 31 May 2017 20:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04E6D129BA2 for <>; Wed, 31 May 2017 13:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SWq8l1nVgTBa for <>; Wed, 31 May 2017 13:54:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7B3E5124B0A for <>; Wed, 31 May 2017 13:54:17 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 31 May 2017 13:54:15 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Wed, 31 May 2017 13:54:14 -0700
From: Edward Lewis <>
To: "" <>
Thread-Topic: [Ext] Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt
Thread-Index: AQHS1MftY4O5fSLaF0OP5Dkuz6lW3qIEArj2gAG+IQCAACNYAP//98VtgACPvoCACKm9AIAAE2gA
Date: Wed, 31 May 2017 20:54:14 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.22.0.170515
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3579094454_811668187"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 May 2017 20:54:19 -0000

Answering my own question...relooking at my data, I see two TLD operators (running a total of 4 zones) revoking KSK's on a regular basis.

On 5/31/17, 15:44, "Edward Lewis" <> wrote:

    Coming late to this thread, I have a question.
    How many operational instances of "Automated Updates" [RFC 5011] are there?
    Besides the root zone KSK, I don't know of any.  I do some monitoring of DNSSEC practices, years ago I noticed one TLD appearing to follow RFC 5011's semantics.  But in recent looks that TLD seems to have abandoned the practice (I've never made contact to confirm).  In a scan of second-level names a month ago, I found only traces of revoked keys (KSK and ZSK!).
    I ask because of the issues raised in the thread regarding the number of keys assumed in the operation.  Automated Updates apparently (to me) was defined with more than one active secure entry point in mind, but in practice, the only operating example I've witnessed of Automated Updates relies on a single active secure entry point.
    I've asked around (tool developers) and, so far, no other examples have popped up.  I'm sure there are some out there.