[dns-operations] [Ext] Re: GOV zone operational update: DNSSEC transition to algorithm 13

Benjamin Farine benjamin.farine at icann.org
Wed May 22 08:56:09 UTC 2024


Yes we won't remove DS/DNSKEYs algo 7 till C-root has been fixed. 

Benjamin Farine 
Lead Infrastructure Engineer - DNS 

On 22/05/2024, 10:42, "dns-operations on behalf of Christian Elmerot" <dns-operations-bounces at dns-oarc.net <mailto:dns-operations-bounces at dns-oarc.net> on behalf of christian at elmerot.se <mailto:christian at elmerot.se>> wrote:

On 2024-05-22 10:01, Stephane Bortzmeyer wrote:
> On Wed, May 22, 2024 at 09:23:12AM +0200,
> Christian Elmerot <christian at elmerot.se <mailto:christian at elmerot.se>> wrote
>> We are putting the transition on hold for the moment until all the root
>> servers are publishing the same version of the root zone
> Note that .INT's new DS with ECDSA has been published but C root does
> not see it. I assume .INT will hold its transition as well.
> % dig +short @a.root-servers.net int DS
> 59895 13 2 10C789F286599316D3A74C2C513434C3F8A33B9238976D5DE2A178E5 4DA353F3
> 27433 7 2 5864812D4DF2A4A455D905AF311389F479AFCD96FD369060941C7E17 0B40CA4F
> % dig +short @c.root-servers.net int DS
> 27433 7 2 5864812D4DF2A4A455D905AF311389F479AFCD96FD369060941C7E17 0B40CA4F

In the absence of messaging I'd not assume anything. Let's hope they 
don't remove the algo 7 DS and more importantly don't remove the algo 7 
DNSKEYs before C-root has been fixed + DS TTLs

Christian Elmerot
Cloudflare Authoritative DNS
dns-operations mailing list
dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!PtGJab4!76shFGgMX_aidIeka4ACarQabqnVSjmSyhnJMgNfea6yTydc1FpgaZQreIvy3mtdQAUH6BYUbAHPGU5Ph8D4pyUkPrNm7Ok$ <https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!PtGJab4!76shFGgMX_aidIeka4ACarQabqnVSjmSyhnJMgNfea6yTydc1FpgaZQreIvy3mtdQAUH6BYUbAHPGU5Ph8D4pyUkPrNm7Ok$> [lists[.]dns-oarc[.]net]

More information about the dns-operations mailing list