Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: now DNSSEC signed via .org - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! now DNSSEC signed via .org

To coincide with today's webcast about DNSSEC [1], I changed how the zone is DNSSEC signed. The zone itself has been signed for a while now, but I used "look aside validation" via . For a few months now, it has been possible to have .org zones directly signed by .org, and I decided to give it a try. Please let me know if you see any issues. If you plan to deploy DNSSEC yourself, see Verisign's [3] nice testing tool as well as the visualization tool by DNSVIZ [4].


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4475 Posts
ISC Handler
Apr 14th 2011

interesting and I view this as positive.
However, is there a specific (security related ?) reason for having multiple (3 at this moment) orphaned DS records for in the org. zone ?
ksk keyid "10590" missing from domain
ksk keyid "52013" missing from domain
ksk keyid "62013" missing from domain

Kind regards,

Marc Lampo
EURid vzw/asbl
Security Officer

Sign Up for Free or Log In to start participating in the conversation!