[190778] in North American Network Operators' Group
Notice about project to roll the root zone KSK
daemon@ATHENA.MIT.EDU (Matt Larson)
Wed Jul 27 09:44:38 2016
X-Original-To: nanog@nanog.org
From: Matt Larson <matt@kahlerlarson.org>
Date: Tue, 26 Jul 2016 09:15:20 -0400
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
I realize DNS operational content isn't the usual NANOG fare, but =
rolling the root zone KSK for the first time is a significant-enough =
event that I wanted to send to this list anyway.
TL;DR: The root zone KSK is changing on October 11, 2017 (yes, over a =
year away). If you're doing DNSSEC validation, you should care. If =
you're not the DNS person in your organization, please pass this notice =
on to that person. If the topic interests you, more information is =
below.
Matt
--
Matt Larson
VP of Research
Office of the CTO, ICANN
> Begin forwarded message:
>=20
> From: Matt Larson <matt.larson@icann.org>
> Subject: Plan documents for root KSK roll project now available
> Date: July 26, 2016 at 8:59:45 AM EDT
> To: <ksk-rollover@icann.org>
>=20
> On Friday, July 22, in the interests of transparency and to notify the =
DNS operational community, ICANN posted plans =
<https://www.icann.org/resources/pages/ksk-rollover#operational-plans> =
to roll the root zone key signing key (KSK). These plans were developed =
by the Root Zone Management Partners: ICANN in its role as the IANA =
Functions Operator, Verisign acting as the Root Zone Maintainer, and the =
U.S. Department of Commerce's National Telecommunications and =
Information Administration (NTIA) as the Root Zone Administrator. The =
plans incorporate the March 2016 recommendations =
<https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf> =
of the Root Zone KSK Rollover Design Team, after it sought and =
considered public comment =
<https://www.icann.org/news/announcement-2013-03-08-en> on a proposed =
rollover process.
>=20
> The process of creating a new key, using it to sign the root DNSKEY =
RRset and securely destroying the old key will start in Q4 2016 and last =
until Q3 2016, though the portions resulting in visible changes in DNS =
occur between Q3 2016 and Q1 2017. The important milestones in the =
project are:
>=20
> - October 26, 2016: The new KSK is generated in ICANN's U.S. East =
Coast key management facility (KMF).
> - February, 2017: The new KSK is copied to ICANN's U.S. West Coast KMF =
and is considered operationally ready, and ICANN publishes the new key =
at https://data.iana.org/root-anchors/root-anchors.xml =
<https://data.iana.org/root-anchors/root-anchors.xml>. (The exact date =
is dependent on the timing of the Q1 2017 key ceremony, which has not =
yet been scheduled.)
> - July 11, 2017: The new KSK appears in the root DNSKEY RRset for the =
first time.
> - October 11, 2017: The new KSK signs the root DNSKEY RRset (and the =
old KSK no longer signs). This date is the actual KSK rollover.
> - January 11, 2018: The old KSK is published as revoked (per RFC 5011, =
"Automated Updates of DNS Security").
>=20
> What you need to do
>=20
> If you operate any software performing DNSSEC validation (such as a =
security-aware recursive name server) that implements the RFC 5011 =
automated trust anchor update protocol and this functionality is =
enabled, you have no action: your software will notice the new KSK =
(authenticated by the old KSK) and update its trust anchor store =
accordingly.
>=20
> If you operate any software performing DNSSEC validation that does not =
implement RFC 5011 or if you don't use the RFC 5011 protocol, you will =
need to update your software's trust anchor configuration manually to =
add the new KSK before October 11, 2017. You can obtain the new KSK in =
February, 2017, using one of the methods described in the "Trust Anchor =
Publication" section of 2017 KSK Rollover Operational Implementation =
Plan =
<https://www.icann.org/en/system/files/files/ksk-rollover-operational-impl=
ementation-plan-22jul16-en.pdf> (one of the aforementioned recently =
published plans).
>=20
> If you write, package or distribute software that performs DNSSEC =
validation and you hard code the root KSK (e.g., in code or =
configuration files), you should update your software with the new KSK =
when it becomes available in February, 2017.
>=20
> Staying informed
>=20
> ICANN will post occasional notices to various operational forums to =
keep the community informed of this project's progress, but we strongly =
suggest that anyone with an interest subscribe to the root KSK rollover =
mailing list <https://mm.icann.org/mailman/listinfo/ksk-rollover> =
operated by ICANN (ksk-rollover@icann.org =
<mailto:ksk-rollover@icann.org>). The list is extremely low volume.
>=20
> The ICANN staff supporting and implementing the root KSK rollover =
project welcome your questions and comments: please direct them to the =
ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> list.
>=20
> Matt
> --
> Matt Larson
> VP of Research
> Office of the CTO, ICANN
>=20
