[dns-operations] 答复: [Ext] The Collection of Yeti Technical activities and Findings

[Edward Lewis]

On 1/22/17, 03:33, "Davey Song(宋林健)" <ljsong at biigroup.cn> wrote:

>Thanks for your explanation. I made a mistake. September 19, 2017 is the second increase for DNSKEY response which may have impact on IPv6 fragmentation. A simple "Kick off" is not clear in this context as you explained.

At the risk of confusing things, but to appeal to the inner engineer in all of us and to plug talks upcoming at NANOG and APRICOT...

The significance of September 19, 2017 is that on this date a regularly scheduled roll of the Zone Signing Key begins.  Depending on the calendar (not all quarters are 90 days), approximately 10 days before the start of a quarter a new ZSK DNSKEY RR always appears.  In the third quarter (July 1 to October 1), the DNSKEY RR set will have had two (instead of one) Key Signing Key DNSKEY RR's and one ZSK DNSKEY RR in it.

While the state of the Key Signing Key roll does not change on this date, the response size of a query for the root zone's DNSKEY set rises and may have an impact on IPv6 fragmentation.  Note that with the withdrawal of the outgoing ZSK on or about October 11, the DNSKEY response returns to a previous level until the next ZSK roll begins.

...so, not that big of a "mistake". ;) Still that operators ought to be aware (as appropriate for their interests) of the KSK rollover well before that date.

BTW, NANOG 69 (first week of February) has accepted a presentation on the KSK rollover that may be of interest to folks.  (There will be remote participation, OTOH, I don't know the timeslot for the talk.)  APRICOT 2017 will also have the talk as well as other events as time progresses. 

Ed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2013 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170123/6d3ce48b/attachment.bin>