[195816] in North American Network Operators' Group
Operational message: DNS root zone KSK rollover to occur on October
daemon@ATHENA.MIT.EDU (Matt Larson)
Sat Sep 16 05:07:45 2017
X-Original-To: nanog@nanog.org
From: Matt Larson <matt.larson@icann.org>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 15 Sep 2017 15:54:02 +0000
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_358C14AE-3BCA-4F94-AD1D-ABF5DEB77B81
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
The root zone management partners, ICANN and Verisign, are working =
together to change the DNS root zone's key-signing key (KSK). This =
process is referred to as "rolling" the root zone KSK.
The root zone's apex DNSKEY RRset has been signed with the same KSK, =
known as KSK-2010, since the root zone was first signed in July, 2010. =
On October 11, 2017, at approximately 1600 UTC, the root zone will be =
published with the apex DNSKEY RRset signed for the first time with a =
new KSK, known as KSK-2017. The root zone apex DNSKEY RRset will be =
signed with only KSK-2017 going forward.
While the specific date of the KSK rollover, October 11, 2017, had been =
announced previously, the time of 1600 UTC on that day has not been =
announced until now, which is the primary purpose of this message.
The public portion of the root zone KSK is configured as a trust anchor =
in software performing DNSSEC validation. The configuration of any =
software performing DNSSEC validation will need to be updated to =
reference KSK-2017 on or before October 11, 2017, or all DNS responses =
received by that software will fail DNSSEC validation, resulting =
ultimately in error messages to end users. In many cases, software =
performing DNSSEC validation supports "Automated Updates of DNS =
Security", the protocol defined in RFC 5011 that can automatically =
update a DNSSEC validator's trust anchor configuration. If the software =
does not support this protocol, or it is incorrectly implemented or not =
configured correctly, the trust anchor will need to be updated manually.
Anyone operating software performing DNSSEC validation with the root =
zone KSK configured as a trust anchor must take action on or before =
October 11, 2017, to confirm that their software is configured with =
KSK-2017 as a trust anchor and, if not, take the necessary steps to =
update the configuration.
Further information about the root KSK rollover, including information =
about how to check and update the trust anchor configuration of popular =
recursive resolver implementations that support DNSSEC validation, is =
available at https://icann.org/kskroll.
For the root zone management partners,
Matt Larson
VP of Research, ICANN
Duane Wessels
Distinguished Engineer, Verisign
--Apple-Mail=_358C14AE-3BCA-4F94-AD1D-ABF5DEB77B81
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJZu/eZAAoJEDMjmkOGxWHgqkEP/ReVYczx/p1hQDs+UR0fbNOV
BNPRg3DlfYj4uIUbWBuUDDB+LIdisQlDpv1Ngbi4+2LCH87ChqrEcrGJIBoCU0i9
1AbUjdl1eF6sF+IolPErkrd6jTg7wxzf87EUKZ+fN5uKdNs7nfgb/Md0xMoCtEPI
cWhtm/CjFeLEPWp0nXUq1HcISd4HCtiniRW8T3A6H4kDTe5qDB3W0BUePlfwAq6r
pa8fwq4wwBMmIljt8BltUTQ7GxDk+kd+LD7oxlymxjTSuY2hGm6+LROCmYsIl7/n
UXDaPnz/X+8l4MIHWA4l80qMmuDBy7SDSODEBFN7HTt1tBbpkm/1lwuDC4eDKNOV
ZJxxyfSt0kMkqRqSqMoTvdF9IeuFRmLSiJI5wffp4zFO+IUs73NJ7JUT76ox+s44
UrXG0D259wUdG2/gsF2Yk8vDVvBQMnbVEKKDnI2/JoM0LbdGmBMkWAvhHj12PQxB
3VoVBPPlnSHFkQlDtytW7fTMoyr7+G1R+dxGDg3UyFD934DqQEKLmrLxIHHVdqf/
o7QYgxsyLGUPvJdsfHQZecIbLAUZMLml76pK7HeyUxixKtGCFpKt9VI1lhj97xaE
+OHGYd//KYGs48SpJtmPuYT0GNaH4A0JQkPTRIkjDoKUm3ugerkmYOU/o8n9dCGI
YHAXfmEDg4qWshNcLik3
=jpsO
-----END PGP SIGNATURE-----
--Apple-Mail=_358C14AE-3BCA-4F94-AD1D-ABF5DEB77B81--
