Different link for NSEC3 as nsec3.org is down

[mirror/dsa-wiki.git] / input / dsablog / 2010 / 02 / Securing_the_Debian_zones.mdwn

diff --git a/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn b/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn
index b4f86d9..9cd3524 100644 (file)
--- a/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn
+++ b/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn
@@ -28,7 +28,7 @@ DNS infrastructure
 <code>www</code>)
 will follow at a later date.
 
-We are using bind 9.6 for [NSEC3](http://www.nsec3.org/) support and
+We are using bind 9.6 for [NSEC3](http://tools.ietf.org/html/rfc5155) support and
 [our](http://git.debian.org/?p=mirror/Net-DNS-SEC-Maint-Key.git)
 [fork](http://git.debian.org/?p=mirror/Net-DNS-SEC-Maint-Zone.git)
 of RIPE's
@@ -42,7 +42,7 @@ We will use NSEC3RSASHA1 with key sizes of 1536 bits for the KSK and
 1152 bits for the ZSK.  Signature validity period will most likely be
 four weeks, with a one week signature publication period
 (cf. [RFC4641: DNSSEC Operational
-Practices](http://www.ietf.org/rfc/rfc4641.txt)).
+Practices](http://tools.ietf.org/html/rfc4641)).
 
 Zone keys rollovers will happen regularly and will not be announced in
 any specific way.  Key signing key rollovers will probably be announced
@@ -55,6 +55,10 @@ we can just put proper
 [DS records](http://en.wikipedia.org/wiki/List_of_DNS_record_types#DS)
 in the respective parent zone.
 
+Until we announce the first set of trust anchors on the mailinglist the
+keysets present in DNS should not be considered productional.  They can
+be changed at any time.
+
 See also:
 
 * [DNSSEC wikipedia page](http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions),