[123890] in North American Network Operators' Group
Re: Signing of the ARPA zone
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Mar 17 17:51:59 2010
From: Joe Abley <joe.abley@icann.org>
To: NANOG list <nanog@nanog.org>
Date: Wed, 17 Mar 2010 14:51:26 -0700
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Colleagues,
This is a follow-up to the operational announcement regarding changes to th=
e ARPA top-level domain that was sent on 2010-03-10. Apologies in advance f=
or duplicates received through different mailing lists.
As of 2010-03-17 1630 UTC all the authoritative servers for ARPA are servin=
g a signed ARPA zone.
We would like to solicit feedback from the technical community to allow us =
to identify any operational ill-effects that this change has caused. We wil=
l monitor this mailing list for feedback, and I will also distribute any fe=
edback sent to me personally so that it can be considered.
If no harmful effects have been identified by 2010-03-21 the trust anchor f=
or the ARPA zone will be published through the IANA ITAR at <https://itar.i=
ana.org/>.
Regards,
Joe
Begin forwarded message:
> From: Joe Abley <joe.abley@icann.org>
> Date: 10 March 2010 16:13:46 EST
> To: Joe Abley <joe.abley@icann.org>
> Subject: Signing of the ARPA zone
>=20
> Colleagues,
>=20
> This is a technical, operational announcement regarding changes to the AR=
PA top-level domain. Apologies in advance for duplicates received through d=
ifferent mailing lists.
>=20
> No specific action is requested of operators. This message is for your in=
formation only.
>=20
> The ARPA zone is about to be signed using DNSSEC. The technical parameter=
s by which ARPA will be signed are as follows:
>=20
> KSK Algorithm and Size: 2048 bit RSA
> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
> KSK Signature Algorithm: SHA-256
> Validity period for signatures made with KSK: 15 days; new signatures pub=
lished every 10 days
> ZSK Algorithm and Size: 1024 bit RSA
> ZSK Rollover: every 3 months
> ZSK Signature Algorithm: SHA-256
> Authenticated proof of non-existence: NSEC
> Validity period for signatures made with ZSK: 7 days; zone generated and =
re-signed twice per day
>=20
> The twelve root server operators [1] will begin to serve a signed ARPA zo=
ne instead of the (current) unsigned ARPA zone during a maintenance window =
which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. In=
dividual root server operators will carry out their maintenance at times wi=
thin that window according to their own operational preference.
>=20
> The trust anchor for the ARPA zone will be published in the ITAR [2], and=
in the root zone in the form of a DS record once the root zone is signed.
>=20
> If you have any concerns or require further information, please let me kn=
ow.
>=20
> Regards,
>=20
>=20
> Joe Abley
> Director DNS Operations, ICANN
>=20
> [1] <http://www.root-servers.org/>
> [2] <https://itar.iana.org/>
