[dns-operations] .gov DNSSEC operational message

Matt Larson mlarson at verisign.com
Wed Dec 22 21:13:51 UTC 2010

Hash: SHA1

A KSK roll for the .gov zone will occur at the end of January, 2011.
This key change is necessitated by a registry operator transition:
VeriSign has been selected by the U.S. General Services Administration
(GSA) to operate the domain name registry for .gov.  It is important
that you prepare for this key change NOW.

DO NOT WAIT until late January, 2011, to take action: the changes
described below should be made as soon as possible.

Because .gov was signed prior to the signing of the root zone, it is
reasonable to believe that many DNSSEC validators (usually part of
recursive name servers) have the .gov zone's KSK statically configured
as a trust anchor.  Further, because automated trust anchor rollover
software implementing the protocol described in RFC 5011 has not been
widely available until recently, it is reasonable to believe that few
validators with a statically configured .gov trust anchor would be
able to understand a KSK roll using RFC 5011 semantics and update
their trust anchor store automatically.

VeriSign is sending this message to announce the impending .gov KSK
roll so that the DNSSEC operational community will be informed of the
change and has the opportunity to take the necessary steps to prepare
for it.

The .gov KSK roll will occur between 27 January 2011 and 31 January
2011.  The rollover will not use RFC 5011 semantics because of issues
surrounding the registry operator transition.

The new KSK will not be published in an authenticated manner outside
DNS (e.g., on an SSL-protected web page).  Rather, the intended
mechanism for trusting the new KSK is via the signed root zone: DS
records corresponding to the new KSK are already present in the root

Because the root zone has had DS records corresponding to the current
.gov KSK since 27 October 2010, static configuration of a trust anchor
for .gov is currently no longer strictly necessary.

Because there will be no non-DNS-based mechanism to authenticate
subsequent .gov KSKs, configuration of the .gov KSK as a trust anchor

Take these steps NOW to prepare for the .gov KSK roll in late January

1. If your DNSSEC validators DO NOT HAVE a trust anchor for the root
zone configured, CONFIGURE the root zone's KSK as a trust anchor.  An
authenticated version of the root zone's KSK is available at

2. If your DNSSEC validators have a trust anchor for the .gov zone
configured, REMOVE the .gov zone's KSK as a trust anchor from your
validator's configuration.

If you follow both steps above, your DNSSEC validators should continue
to validate names in .gov, but the .gov KSK will be authenticated via
the signed root's KSK rather than a locally configured trust anchor.

DO NOT WAIT until late January, 2011, to take these actions: the trust
anchor changes described above should be made as soon as possible.

If you have any questions or comments, please send email to
registrar at dotgov.gov or reply to this message.
Version: GnuPG v1.4.11 (Darwin)


More information about the dns-operations mailing list