[dns-operations] Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC
eduardomlduarte at gmail.com
Sat Sep 16 18:05:35 UTC 2017
Thank you for leting us know the exact time of the rollover.
I wanted to question how did you chose it?
I'm asking this because it doesn't seem to be the best pick. Ok, I now that
probably the are no good pick's for this operation...
I'm criticizing the hour choosen because, 1600UTC, because it will be
1800CET and most of the network engeniers will be out of the office or
going out, and also most of the internet users will on their way home.
So if anything breaks in a network (He hope not) we would have a very high
number of users calling the Telco callcenters sayng that their internet is
According to APNIC statistics Europe is one of the areas of the world where
there are more resolvers with validation on.
Thank you and best regards,
2017-09-14 22:16 GMT+01:00 Matt Larson <matt.larson at icann.org>:
> The root zone management partners, ICANN and Verisign, are working
> together to change the DNS root zone's key-signing key (KSK). This process
> is referred to as "rolling" the root zone KSK.
> The root zone's apex DNSKEY RRset has been signed with the same KSK, known
> as KSK-2010, since the root zone was first signed in July, 2010. On October
> 11, 2017, at approximately 1600 UTC, the root zone will be published with
> the apex DNSKEY RRset signed for the first time with a new KSK, known as
> KSK-2017. The root zone apex DNSKEY RRset will be signed with only KSK-2017
> going forward.
> While the specific date of the KSK rollover, October 11, 2017, had been
> announced previously, the time of 1600 UTC on that day has not been
> announced until now, which is the primary purpose of this message.
> The public portion of the root zone KSK is configured as a trust anchor in
> software performing DNSSEC validation. The configuration of any software
> performing DNSSEC validation will need to be updated to reference KSK-2017
> on or before October 11, 2017, or all DNS responses received by that
> software will fail DNSSEC validation, resulting ultimately in error
> messages to end users. In many cases, software performing DNSSEC validation
> supports "Automated Updates of DNS Security", the protocol defined in RFC
> 5011 that can automatically update a DNSSEC validator's trust anchor
> configuration. If the software does not support this protocol, or it is
> incorrectly implemented or not configured correctly, the trust anchor will
> need to be updated manually.
> Anyone operating software performing DNSSEC validation with the root zone
> KSK configured as a trust anchor must take action on or before October 11,
> 2017, to confirm that their software is configured with KSK-2017 as a trust
> anchor and, if not, take the necessary steps to update the configuration.
> Further information about the root KSK rollover, including information
> about how to check and update the trust anchor configuration of popular
> recursive resolver implementations that support DNSSEC validation, is
> available at https://icann.org/kskroll.
> For the root zone management partners,
> Matt Larson
> VP of Research, ICANN
> Duane Wessels
> Distinguished Engineer, Verisign
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations