[org-algorithm-roll] Upcoming DNSSEC changes to PIR delegated Top Level Domains

Carl Clements cclement at afilias.info
Wed Sep 16 17:18:06 UTC 2020 

In the next 24 hours, the following changes will be made to the ORG zone:

The DNSKEY RRSIG generated using the ZSK will be removed.
All other RR sets will be signed with an unpublished RSA/SHA-256 ZSK, in
addition to the RRSIG with the existing RSA/SHA-1 ZSK.
A new salt value will be used and the number of hash iterations will
increase in the NSEC3PARAM.

--
Carl Clements
Internet Operations Specialist
Afilias DNS Infrastructure Group


On Fri, 4 Sep 2020 at 14:09, Suzanne Woolf <swoolf at pir.org> wrote:

> Dear Colleagues,
>
> As Joe and Suzanne have mentioned previously, Afilias is working on
> several DNSSEC operational changes to the TLDs delegated to PIR. This note
> enumerates the changes we are planning to make below.  We certainly welcome
> any comments you may have which could help us improve the plan, along with
> any clarifying questions.
> Thanks,
> Suzanne & Joe
>
> Objective
> As has been described in various technical meetings earlier this year, our
> immediate goal is to remove any dependency on the SHA-1 algorithm from the
> DNSSEC parameters used to sign PIR’s top-level domains.
> PIR Top-Level Domains
> The PIR  top-level domains that will be included in this work are:
>
>
>    - ORG
>    - NGO
>    - ONG
>    - संगठन / XN--I1B6B1A6A2E
>    - 机构 / XN--NQV7F
>    - орг /  XN--C1AVG
>    - 组织机构 / XN--NQV7FS00EMA
>
> Changes to each Top Level Domain DNSKEY RRset
> Currently, a DNSSEC enabled query for the DNSKEY RRset for a PIR TLD
> returns 3 DNSKEYs -- current KSK (2048 bits), current and next ZSKs (1024
> bits) -- along with 2 RRSIGs, one by the KSK, one by the current ZSK.  All
> of the DNSKEYs currently use algorithm 7 (RSASHA1-NSEC3-SHA1).
>
> Afilias will remove the DNSKEY RRSIG generated using the ZSK, as this is
> superfluous.
>
> Most importantly, we will be performing an algorithm roll of the DNSKEYs
> to algorithm 8 (RSA/SHA-256), using the methodology described in RFC 6781.
>
> At this time, we do not plan to suppress the pre-publication of the
> incoming ZSK.
> We also do not plan to increase the size of the ZSK for now, to keep
> response sizes smaller while we perform the algorithm roll. We plan to
> increase the effective ZSK key strength at a later date, e.g. by rolling in
> a 2048-bit RSA key or doing an algorithm roll from algorithm 8
> (RSA/SHA-256) to algorithm 13 (ECDSA P-256). We will share details of our
> plans once they have solidified, which we do not expect to happen before
> this first set of changes is complete.
> Changes to each Top Level Domain Delegation DS RRset
>
> We will be removing all DS records in the root zone which use algorithm 1
> (SHA-1).  This will reduce the DS RRSet to a single DS record.  The DS
> record will be changed as part of the  algorithm roll mentioned above.
> Changes to each Top Level Domain NSEC3PARAM
>
> Afilias will be changing the salt value during the algorithm roll, Hash
> Iterations: we will be changing the number of hash iterations from 1 to 100.
> Timeline
>
> Below is an estimated timeline for this transition.  Later dates could be
> subject to change due to an unforeseen delay. We’ve tried to allow plenty
> of time for anomalies to appear, while keeping things moving.
>
> # Task Timeframe Dependencies Notes
>
> 1 Signer Adjustments 2020-09-15 None Stop ZSK RRSIG on DNSKEYS, etc.
>
> 2 Generate key material 2020-09-15 None SHA-256 DNSKEYs, DSs
>
> 3 Re-sign w/ new ZSK 2020-09-15 2 Allows for comments, holiday
>
> 4 RRSIG hold down period 2020-09-15 - 2020-09-21 3
>
> 5 Publish new DNSKEYs 2020-09-21- 2020-09-25 4
>
> 6 DNSKEY add hold down 2020-09-25 - 2020-09-28 5
>
> 7 Prepare RZM Request 2020-09-22 - 2020-09-24 2
>
> 8 Send RZM Request 2020-09-28 6, 7
>
> 9 RZM Processing 2020-09-28 - 2020-10-05 8 Assumes timely ACKs
>
> 10 DS change hold down period 2020-09-29 - 2020-10-09 9
>
> 11 Remove old DNSKEYs 2020-10-13 - 2020-10-19 10 and also old KSK RRSIG
>
> 12 DNSKEY remove hold down 2020-10-13 - 2020-10-23 11
>
> 13 Remove old RRSIGs 2020-10-17 - 2020-10-25 12
>
> _______________________________________________
> org-algorithm-roll mailing list
> org-algorithm-roll at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/org-algorithm-roll
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/org-algorithm-roll/attachments/20200916/f9e9fc51/attachment-0001.html>

More information about the org-algorithm-roll mailing list