nz DNSSEC KSK rollover - Standby Chain

Felipe Barbosa felipe at internetnz.net.nz
Mon Jul 8 22:34:39 UTC 2024 

Kia ora koutou,

InternetNZ is beginning its return to routine DNSSEC operations.
Starting on 15-07-2024(NZST), we will begin our improved process, which
incorporates changes from internal and external reviews following the
DNSSEC incident in May 2023.

This will consist of four short maintenance windows, in which we will
pause zone distribution to make changes, perform validation, and
resume zone distribution.
The status and scheduling will be posted to status.internetnz.nz. To
be notified, subscribe to IRS Production > Zone Publish

Window 1
We will change the DS TTL in DNSSEC policy for the standby chain of
second level domains.
This change addresses the issues encountered in May 2023.

Window 2
We will perform a KSK rollover on the standby DNSSEC chain for nz,
ac.nz, co.nz, net.nz, gen.nz, org.nz, govt.nz, parliament.nz, geek.nz,
school.nz, kiwi.nz, iwi.nz, maori.nz, cri.nz, health.nz, and mil.nz
This will generate new DNSSEC keys and add them to the standby signing
chain.

Window 3
We will mark the keys generated in window 2 as active in the standby
DNSSEC chain.

Window 4
Window 4 will occur after the TTL safety period (2xTTL, 2 Days) has
lapsed and DNSSEC RRSET validation is possible via both the old keys
and new keys.
The DNSSEC policies updated in Window 1 with the correct TTL timing
will be enforced, this will result in the safe retirement of the old
keys and allow us to remove redundant keys from the zones.

The current standby chain key tags for each zone are as follows:
nz: 49157, ac.nz: 5938, co.nz: 59176, cri.nz: 19190, geek.nz: 7171,
gen.nz: 48574, govt.nz: 18181, health.nz: 33694, iwi.nz: 58454,
kiwi.nz: 47464, maori.nz: 21689, mil.nz: 43906, net.nz: 25105, org.nz:
24626, parliament.nz: 49424, school.nz: 27382

We would like to emphasise that if you encounter any DNSSEC issues,
please report them to us via registry at internetnz.net.nz.
We will keep you updated, and provide a summary report at the
conclusion of incident-related work.

--

Ngā mihi
Felipe Agnelli Barbosa
DNS Specialist
InternetNZ  |  Ipurangi Aotearoa

We are the home of .nz and we work for an Internet that benefits all of
Aotearoa.
www.internetnz.nz

GPG: 95C1 8BDC EFA7 9CAC 303D  003E A058 2449 D152 8580
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240708/dc096893/attachment.html>

More information about the dns-operations mailing list