[123542] in North American Network Operators' Group
Signing of the ARPA zone
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Mar 10 16:33:31 2010
From: Joe Abley <joe.abley@icann.org>
To: Joe Abley <joe.abley@icann.org>
Date: Wed, 10 Mar 2010 13:13:46 -0800
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Colleagues,
This is a technical, operational announcement regarding changes to the ARPA=
top-level domain. Apologies in advance for duplicates received through dif=
ferent mailing lists.
No specific action is requested of operators. This message is for your info=
rmation only.
The ARPA zone is about to be signed using DNSSEC. The technical parameters =
by which ARPA will be signed are as follows:
KSK Algorithm and Size: 2048 bit RSA
KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
KSK Signature Algorithm: SHA-256
Validity period for signatures made with KSK: 15 days; new signatures publi=
shed every 10 days
ZSK Algorithm and Size: 1024 bit RSA
ZSK Rollover: every 3 months
ZSK Signature Algorithm: SHA-256
Authenticated proof of non-existence: NSEC
Validity period for signatures made with ZSK: 7 days; zone generated and re=
-signed twice per day
The twelve root server operators [1] will begin to serve a signed ARPA zone=
instead of the (current) unsigned ARPA zone during a maintenance window wh=
ich will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Indi=
vidual root server operators will carry out their maintenance at times with=
in that window according to their own operational preference.
The trust anchor for the ARPA zone will be published in the ITAR [2], and i=
n the root zone in the form of a DS record once the root zone is signed.
If you have any concerns or require further information, please let me know=
.
Regards,
Joe Abley
Director DNS Operations, ICANN
[1] <http://www.root-servers.org/>
[2] <https://itar.iana.org/>=
