[dns-operations] Plan documents for root KSK roll project now available

Matt Larson matt at kahlerlarson.org
Tue Jul 26 16:35:12 UTC 2016

Somewhat embarrassingly, I managed to make two date-related mistakes in one paragraph in the announcement I posted.  The corrected text should read:

> The process of creating a new key, using it to sign the root DNSKEY RRset and securely destroying the old key will start in Q4 2016 and last until Q3 2018, though the portions resulting in visible changes in DNS occur between Q3 2017 and Q1 2018.  The important milestones in the project are:

The dates in the following paragraph were all correct, but I'll repeat them here for completeness:

> - October 26, 2016: The new KSK is generated in ICANN's U.S. East Coast key management facility (KMF).
> - February, 2017: The new KSK is copied to ICANN's U.S. West Coast KMF and is considered operationally ready, and ICANN publishes the new key at https://data.iana.org/root-anchors/root-anchors.xml <https://data.iana.org/root-anchors/root-anchors.xml>.  (The exact date is dependent on the timing of the Q1 2017 key ceremony, which has not yet been scheduled.)
> - July 11, 2017: The new KSK appears in the root DNSKEY RRset for the first time.
> - October 11, 2017: The new KSK signs the root DNSKEY RRset (and the old KSK no longer signs).  This date is the actual KSK rollover.
> - January 11, 2018: The old KSK is published as revoked (per RFC 5011, "Automated Updates of DNS Security").

I apologize for the error.  I'd even had coffee already, so I can't blame lack of caffeine...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160726/15290b86/attachment.html>

More information about the dns-operations mailing list