[dns-operations] Signing of the ARPA zone

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Mar 22 00:29:26 UTC 2010

On Sun, Mar 21, 2010 at 04:48:25PM -0400, Matt Larson wrote:
> On Tue, 16 Mar 2010, Chris Thompson wrote:
> > On Mar 15 2010, I wrote:
> >> The servers that are delivering a signed "arpa" so far have DNSKEY/RRSIG
> >> records using algorithm RSASHA1 (5) rather than RSASHA256 (8). Has there
> >> been a change of plan in that respect?
> >
> > Ah... today they (that's [ghiklm].root-servers.net so far) have switched
> > to an RSASHA256-signed version of "arpa".
> The initial plans called for signing .arpa with RSASHA1, since the
> code point for RSASHA256 hadn't even been assigned by the IETF when
> the project started.  The initial .arpa signing infrastructure,
> including the zone's securely generated keys, was deployed with
> RSASHA1.  The decision to use RSASHA256 came later in the project and
> the system was not reconfigured for the new algorithm until after the
> deployment had started.  At the time of the algorithm change, the
> RSASHA1 trust anchor had not been published, nor had all .arpa servers
> started serving the signed zone, so no community of DNSSEC validators
> using the RSASHA1 KSK could have formed.  We are pleased that we were
> able to deploy .arpa using RSASHA256 as ultimately intended, and so
> far with no reported negative impact.
> Matt

	it is perhaps useful to reflect that Chris looked at the system
	in the middle of the deployment window, when one might expect 
	it to be in state of flux.  A key point is that when the transition
	window closed, all of the .arpa servers were serving a zone
	signed with SHA256 as expected/intended.  I think that even in the
	face of unexpected/anticipated events, we were still able to keep
	on schedule.


More information about the dns-operations mailing list