Larry Blunk, Merit Network, Inc.
Last revised: 14 June 2007
Merit Network is participating in a pilot deployment of DNSSEC. It is an island of trust deployment with no secure delegations from the parent zones at this time. The Merit authority nameservers are 198.108.1.43 (dns1.merit.net), 198.109.64.250 (dns2.merit.net), and 207.72.112.10 (dns3.merit.net).
This page lists trust anchors (aka Secure Entry Point keys) for the nanog.org, radb.net and 169.35.192.in-addr.arpa zones. These trust anchors can be used by security-aware DNS resolvers to authenticate records in the corresponding zones.
Key Signing Keys (KSK) are 1280 bit RSASHA1 and Zone Signing Keys (ZSK) are 1024 bit RSASHA1. At the current time, Zone Signing Keys are rolled over every three months, using a pre-publish policy. Key Signing Keys are rolled over approximately once per year, using a double signature rollover policy.
[Format: "domain_name" flags protocol algorithm "publickey-in-base64"]Download this as a text file, suitable for inclusion in a BIND9 format configuration file.
"radb.net." 257 3 5 "AwEAAbIXcvl/ZoIIk4Vzl8NRtluFy371SLXQ
5hGbEB0sfByQ9UbXWUneClXWfc7++QkhNPsg
q+yyfvoSm6TN3ojYvu5BNcMfAxCmCsFpkViR
Co2EQ1QquPHsQTSz+e/1PdTfyZV49mBL/P41
mkwtyl5vizfju5jV6HGr1LNgeDwuiabwqYEL
q/Dhf8XA2mIrzs2a6XDmntRDkO0sxNlGwaBC
17c=";
"nanog.org." 257 3 5 "AwEAAfQ9WAggPoeflzpJWObTeGOSNnq5MvJT
Ywe0feRB7YD4iy+G9wrBb02WmJJ+QUpTY2tl
tIX2zcagU5yMtfbT4Dfrbu+9xk0S1evtsjpo
SaXWbPMRZOtmTVsgK8viWE07keAQYFo2Q6L0
/EO4onRfa3nwRzWa33yEKoL0tdUcWFA2HKFA
mx6U4uKsNOLXoOMW24QRcvjEmq7JUfYkkz+a
Atc=";
"169.35.192.in-addr.arpa." 257 3 5 "AwEAAdu43vN4fVNIQKNavcQws3hijUoxSEFq
8DO7478O1lXN0AZ5W5EjlF6A1INpZiTBdjJY
rSdpdXDiDQfDSZ+VR63wgl/aYasFWBpNOg+S
LyTuA8n8MvY26Sb72N/K797lk6QgEp9E52nd
Yslt5NJDxCplO/Q0sONecHg6uGQnEPBMzLdT
iQrvYQQJEUATk/p7aLxRSpfxHuqEpVzbe3aR
pJ0=";