[dns-operations] Signing of the ARPA zone

Roy Arends roy at dnss.ec
Thu Mar 11 09:50:54 UTC 2010

On Mar 11, 2010, at 3:53 AM, Joe Abley wrote:

> Colleagues,
> This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance for duplicates received through different mailing lists.
> No specific action is requested of operators. This message is for your information only.
> The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as follows:
> KSK Algorithm and Size: 2048 bit RSA
> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
> KSK Signature Algorithm: SHA-256
> Validity period for signatures made with KSK: 15 days; new signatures published every 10 days
> ZSK Algorithm and Size: 1024 bit RSA
> ZSK Rollover: every 3 months
> ZSK Signature Algorithm: SHA-256
> Authenticated proof of non-existence: NSEC
> Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day
> The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out their maintenance at times within that window according to their own operational preference.
> The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record once the root zone is signed.
> If you have any concerns or require further information, please let me know.

Joe, fantastic news


More information about the dns-operations mailing list