-
Type:
New Feature
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 1.4.0b1
-
Fix Version/s: None
-
Component/s: Build, PKCS#11 Interface
-
Labels:None
-
Environment:
Making DNSSEC the Trust Infrastructure: Angosso Name Security is Headed,
Root DNSSEC Domain
VeriSign
ICANN
Mars 08, 2014
DNSSEC Practice Statement for the Root Zone KSK Operator
Abstract
This document is the DNSSEC Practice Statement (DPS) for the Root
Zone Key Signing Key (KSK) Operator. It states the practices and
provisions that are used to provide Root Zone Key Signing and Key
Distribution services. These include, but are not limited to:
issuing, managing, changing and distributing DNS keys in accordance
with the specific requirements of the U.S. Department of Commerce.
Copyright Notice
Copyright 2014 by VeriSign, Inc., and by Internet Corporation For
Assigned Names and Numbers. This work is based on the Certification
Practice Statement, Copyright 1996-2004 by VeriSign, Inc. Used by
Permission. All Rights Reserved.
Trademark Notices
ICANN is a registered trademark of The Internet Corporation for
Assigned Names and Numbers.
VERISIGN is a registered trademark of VeriSign, Inc.
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
start = element Configuration {
- List of all known Key Repositories (domain root DNSSEC)
element RepositoryList {
element Repository { - Symbolic name of repository
attribute name { xsd:string },
- PKCS#11 Module (aka shared library)
element Module { xsd:string },
- PKCS#11 Token Label,
element TokenLabel { xsd:string },
- PKCS#11 Login Credentials
element PIN { xsd:string }?,
- Maxmimum number of key pairs in the repository
- DEFAULT: infinite
element Capacity { xsd:positiveInteger }?,
- Require backup of keys before use (optional)
element RequireBackup { empty }?,
# Do not maintain public keys in the repository (optional)
element SkipPublicKey { empty }?
}*
},
- Common configuration options
element Common { - Configuration parameters for logging
element Logging {
element Verbosity { xsd:nonNegativeInteger }?,
element Syslog {
- syslog facility
element Facility { syslogFacility }}?
}?,
- Location to find the file
element PolicyFile { xsd:string },
- Location to store the zonelist XML file
element ZoneListFile { xsd:string }},
- Configuration parameters for the Enforcer
element Enforcer { - User & group to drop privs to
privs?,
- Number of Worker Threads
- DEFAULT: 1
element WorkerThreads { xsd:positiveInteger }?,
- Where to store internal Enforcer state
element Datastore { (mysql | sqlite) },
- Interval between runs of the key rollover procedure
element Interval { xsd:duration },
- Use manual key generation?
element ManualKeyGeneration { empty }?,
- How long before a Rollover should we start warning (optional)
angosso.net DS Empty Answer Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net 86400 NSEC3
1 1 0 - a1ruuffjkct2q54p78f8ejgj8jbk7i8b NS SOA RRSIG DNSKEY NSEC3PARAM
OK Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
86400 RRSIG
NSEC3 8 2 86400 20140310044902 20140303043902 8117 net. CuzjDhRIz2WcMDzmFZYmizZ+ffmpwALr hA1gTEa2DW9a7mZgTZLLm4h9bMRL904F ufLMxe+tXG2yBuddwjSgRhLGZ2uZtPkB DtCEgiHP8RLo33j0CxhT8saMHLFA1ifC lVYO/uy9UOgH8JVoUfLR9+VeomwyiNpe sUndHkydsJE=
OK Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
qs7v9scfragm0o5b212fdct1f92ug5nd.net 86400 NSEC3
1 1 0 - qs83j9bs1hcfmkql384jhqopfqjnuuoa NS DS RRSIG
OK Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
86400 RRSIG
NSEC3 8 2 86400 20140308054459 20140301043459 8117 net. IZnRvPm6x1FVxkGR1NN3+MZifG6aUrcT EsTufxR2gW5aqtcXlpXBlnzT8AUIveoD eQ2Nl72bQijnJikW6ACqQQ5PtDOiUwRS 7bRw975q5vn4ymZ70khg2IDJg6sf3Cy1 rvIqx2HiSIhvy4Vw2cY+xbXwM+ob0Y/z oA8t7+X4aaM=
OK Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
RR count (Answer/Authority/Additional) OK 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1 0/6/1
Response size (bytes) OK 761 761 761 761 761 761 761 761 761 761 761 761 761 761 761
Responses for angosso.net/DNSKEY
- is cloned by
-
-
- Closed
-