[dns-operations] Root zone KSK-2010 is now revoked

Costantino Andrea (Con) andrea.costantino at h3g.it
Fri Jan 11 20:57:02 UTC 2019

I just have one question:

Why change a production system almost every single internet connected device is depending on, on Friday afternoon?

For half the world it was "if nobody notices I'll start an early weekend" phase.

For Israel it was already in the middle of their weekend.

For California it was "thanks God it's Friday, I'll quickly check things and if nobody notices I'll start an early weekend".

My 2 cents.. hope nobody get hurt...


Il 11 gen 2019 15:33, Matt Larson <matt.larson at icann.org> ha scritto:
Dear colleagues,

A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone management partner, Verisign, published root zone serial number 2019011100 with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has changed from 19036 to 19164. In addition, the root DNSKEY RRset is now signed with two KSKs: the current KSK (KSK-2017) as well as the former KSK (KSK-2010). The second signature is required by RFC 5011 to prove possession of KSK-2010's private key to assert the revocation. This second signature makes the response to a query for the root zone's DNSKEY RRset increase in size from 1414 bytes to 1425 bytes.

We don't expect any operational issues from this change. The DNSKEY RRset size increase is small, and other zones currently publish considerably larger apex DNSKEY RRsets without apparent issue. In addition, because KSK-2010 has not been used for signing since the root KSK rollover to KSK-2017 on 11 October 2018, no DNSSEC validators that are currently validating correctly can be depending on it.

Nevertheless, please let us know if you suspect any issues or have any questions.

May we also suggest subscribing to ksk-rollover at icann.org to receive announcements and participate in discussion about the KSK rollover process in particular and DNSSEC in the root zone in general.

For the root zone management partners,

Matt Larson, VP of Research
ICANN Office of the CTO
matt.larson at icann.org

dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-operations mailing list

Check Point


CONFIDENTIAL: This E-mail and any attachment are confidential and may contain reserved information. If you are not one of the named recipients, please notify the sender immediately. Moreover, you should not disclose the contents to any other person, or should the information contained be used for any purpose or stored or copied in any form.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190111/3a92a23a/attachment.html>

More information about the dns-operations mailing list