Root Zone DNSSEC Operational Update

[Wessels, Duane]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Verisign, in its role as the root zone ZSK operator, is transitioning
to a new Hardware Security Module (HSM) product for the root zone's
Zone Signing Key (ZSK). The current HSM vendor, Ultra Intelligence &
Communications, has announced their KeyperPLUS will no longer be supported
by them. Verisign will use an HSM product from Thales for the root zone
ZSK going forward.

On July 1, 2025 we will begin using the Thales HSM to sign the root zone
on a daily basis. Although we anticipate this will be a seamless change
for end users and anticipate no problems, prudence dictates that we need
a backout plan, should it become necessary. As part of our backout plan,
we will be post-publishing the previous quarter's ZSK for a longer than
normal period of time.

Normally, following a quarterly ZSK rollover, the previous key is
post-published for a period of 10 days. As part of our HSM transition, we
will instead post-publish the previous ZSK for a period of 80 days. This
provides ample time to remediate any issues that may arise as part of
this transition, and should it become necessary, to revert to using the
old HSM to sign the root zone.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEvEG6oyZuoN5HQhnubJmkaajAmI0FAmhGex8ACgkQbJmkaajA
mI1MEQgAo5/CB0GHYJq+4EqPCecevajsAhjcr4NXxViKyU5K3E//DwR82LIC9p6T
HWLY1C0tiFk2Sg/3FbxF2arnUVC9yPJHOI5y2O+AE/BJibSVCyEEse+CbQkVljEd
peaHNkkqp96AGgJiZv1On+B63Nog4CBrGMRxD14J0IAZShGbFqDZLRo6VhTHCCf+
isea/+1LbAbe/r2lTbm72q3a5lt/br6yRl37MZAbsJh8PyOAQE54jcnMlypL3qlx
VribLjYduQAyKfUgMfVOXOionoY8i+4u1Rce9GXC130jklW7KXsp4un0SCGT5ByV
gQWK5Hz73A4039CiUtjm3WqoIILIcg==
=kLWP
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4347 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250610/30e16b21/attachment.bin>