[Yeti DNS Discuss] KROLL and trust/key file

Kees Monshouwer keesm at monshouwer.eu
Sat Jul 23 09:15:37 UTC 2016


Hello all,

I wonder why the new KSK is not in
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
(the recommended source of trust on the join page)

If I a install a new RFC 5011 capable recursor today, based on this
trust file. The hold-down will also start today.
As a result of this the new key will not be valid when the old one is
revoked,


New unbound install with only the current key:
```
;autotrust trust anchor file
;;id: . 1
;;last_queried: 1469263983 ;;Sat Jul 23 10:53:03 2016
;;last_success: 1469263983 ;;Sat Jul 23 10:53:03 2016
;;next_probe_time: 1469303021 ;;Sat Jul 23 21:43:41 2016
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.       86400   IN      DNSKEY  257 3 8
AwEAAbA0lBT1aDxwoNl7d/fXqFFBtL+VwBLqgOYHgAqrnvhRvHs+GrTWZZ5gZu/0NeX4YGXmovT1nGpY/9oi30pDvbzPluQXOKSVP/xr1KyLPp8pxiVqGe973F55fX4iQOUMB2n2VXfIxSryTNYPz44Zltpa10WAVYzHpy3oxx0
qZSeDsdPHMNB7Ym0hBMY92cifWyQWifHbcgbFGf2mpwF00vALl92qhnvIORVZC/ihNNd7DvQtMLdUvSoQ0woC/EhqexXQv0bLlPkG55d37JoaVbWCEnWLZ+CT+Eei5U4VCqH+xCEvOjT45ZQt0kfB3K4bwfh6D5EBleJ13z3pbUwBy0U=
;{id = 19444 (ksk), size = 2048b}
 ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=1469263983 ;;Sat Jul 23
10:53:03 2016
.       3600    IN      DNSKEY  257 3 8
AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHP
zloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s=
;{id = 55954 (ksk), size = 2048b}
 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1469263983 ;;Sat Jul 23
10:53:03 2016``

```
New key has the ADDPEND state.


New unbound install with the current and new key:
```
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1469264132 ;;Sat Jul 23 10:55:32 2016
;;last_success: 1469264132 ;;Sat Jul 23 10:55:32 2016
;;next_probe_time: 1469304442 ;;Sat Jul 23 22:07:22 2016
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.       3600    IN      DNSKEY  257 3 8
AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHP
zloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s=
;{id = 55954 (ksk), size = 2048b}
 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1469264132 ;;Sat Jul 23
10:55:32 2016
.       86400   IN      DNSKEY  257 3 8
AwEAAbA0lBT1aDxwoNl7d/fXqFFBtL+VwBLqgOYHgAqrnvhRvHs+GrTWZZ5gZu/0NeX4YGXmovT1nGpY/9oi30pDvbzPluQXOKSVP/xr1KyLPp8pxiVqGe973F55fX4iQOUMB2n2VXfIxSryTNYPz44Zltpa10WAVYzHpy3oxx0
qZSeDsdPHMNB7Ym0hBMY92cifWyQWifHbcgbFGf2mpwF00vALl92qhnvIORVZC/ihNNd7DvQtMLdUvSoQ0woC/EhqexXQv0bLlPkG55d37JoaVbWCEnWLZ+CT+Eei5U4VCqH+xCEvOjT45ZQt0kfB3K4bwfh6D5EBleJ13z3pbUwBy0U=
;{id = 19444 (ksk), size = 2048b}
 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1469264132 ;;Sat Jul 23
10:55:32 2016
```
Both keys have the VALID state.

Is this part of the experiment or it an overlooked detail?

If it is not a part of the experiment, it might be better to postpone
the revocation of the current key to at least 30 days after the thrust
file was updated.


With kind regards,

Kees Monshouwer










More information about the discuss mailing list