[dns-operations] Signing of the ARPA zone

[Brett Carr]

Joe,

On Thu, Mar 11, 2010 at 12:53 AM, Joe Abley <joe.abley at icann.org> wrote:
> Colleagues,
>
> This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance for duplicates received through different mailing lists.
>
> No specific action is requested of operators. This message is for your information only.
>
> The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as follows:
>
> KSK Algorithm and Size: 2048 bit RSA
> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
> KSK Signature Algorithm: SHA-256
> Validity period for signatures made with KSK: 15 days; new signatures published every 10 days
> ZSK Algorithm and Size: 1024 bit RSA
> ZSK Rollover: every 3 months
> ZSK Signature Algorithm: SHA-256
> Authenticated proof of non-existence: NSEC
> Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day
>
> The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out their maintenance at times within that window according to their own operational preference.
>
> The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record once the root zone is signed.
>
> If you have any concerns or require further information, please let me know.
>

This is very good news, more congrats to the ICANN DNSSEC team. Out of
interest do you have a date when you will be accepting Secure
delegation requests for .arpa I will be very interested to see the
reverse zones and e164.arpa get DS records so we can see real chains
of trust appearing.

Brett