DNSSEC Trust Anchors for Merit managed zones

Larry Blunk, Merit Network, Inc.
Last revised: 21 June 2009

Introduction

Merit Network is participating in a pilot deployment of DNSSEC. It is an island of trust deployment with no secure delegations from the parent zones at this time. The Merit authority nameservers are 198.108.1.43 (dns1.merit.net), 198.109.64.250 (dns2.merit.net), and 207.72.112.10 (dns3.merit.net).

This page lists trust anchor (aka Secure Entry Point keys) for the nanog.org zone. This trust anchor can be used by security-aware DNS resolvers to authenticate records in the corresponding zones.

Key Maintenance Policies

Key Signing Keys (KSK) are 1024 bit RSASHA1 and Zone Signing Keys (ZSK) are 2048 bit RSASHA1. At the current time, Zone Signing Keys are rolled over every three months, using a pre-publish policy. Key Signing Keys are rolled over approximately once per year, using a double signature rollover policy.

Trust Anchors

[Format: "domain_name" flags protocol algorithm "publickey-in-base64"]
Download this as a text file, suitable for inclusion in a BIND9 format configuration file.

"nanog.org." 257 3 5                   "AwEAAaeK6ON+879lLC8bdp0qTeyvbWz/2Rp1
                                        mamWy35l1a1aZAaBss6bI7HdGrHZtWpB11xy
                                        ch6y2I6ImQXfr99Dp+4Jnyd/9KjEravfnmXX
                                        dBRZhv3x3Hf5wv1Xzx5nn7hFx8h8omwve2WL
                                        JZZ4KcuxHnpoZ0o6JttdSb0RHvft8ZluTgdN
                                        GUrdxP5BmIDITEc9CfB4BgVCK8e+HpIFlChR
                                        jaBbsA8fSh4Cz1R/QwkDjxLc4vAETjb1koa5
                                        ZDxTaPjYEEEAp+wvb5aJtgVxjdwfejwaZ3MQ
                                        CmZMXZsq9t9MuWbNWemz7WKSRM7ra6FeHuQI
                                        ikrXNNMERxHA0lBdgI8vmg0=";