[dns-operations] DNSSEC KSK Rollover Event for RIPE NCC Zones

Anand Buddhdev anandb at ripe.net
Mon Jun 14 16:06:00 UTC 2010

[Apologies for duplicates]

Dear Colleagues,

On Tuesday, 23 March 2010, the RIPE NCC published new DNSSEC trust
anchors. They can be found in a new location on the RIPE website at:

Today the RIPE NCC has started signing all of our zones with the new
keys found in those trust anchor files. If you have both the old and
the new keys configured you do not need to make any changes right now.
On Wednesday, 16 June, we will remove the old trust anchors from our

With today's key rollover event the RIPE NCC has completed the
migration to new DNSSEC signers. We have updated our DNSSEC Policy and
Practice Statement (DPS). The updated DPS can be found at:

During the migration we did experience a small issue. Our processes
failed to pre-publish the previous Zone Signing Key (ZSK) into the zones
on our new signers. While our zones were propagating to the secondary
servers, some validating resolvers may have fetched signed answers and
DNSKEY records from different servers, and not been able to validate
these answers. However, the time-to-live on the old ZSK DNSKEY record
was one hour, so the window during which validation failures could have
occurred is quite small. We have taken steps to ensure that this will
not happen in the future.

If you have any questions or comments, please send an email to
<dns-help at ripe.net>.

Anand Buddhdev
DNS Services Manager

More information about the dns-operations mailing list