[NLNOG] [matt.larson at icann.org: Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC]

[Job Snijders]

NLNOG community - FYI

----- Forwarded message from Matt Larson <matt.larson at icann.org> -----

Date: Fri, 15 Sep 2017 15:54:02 +0000
From: Matt Larson <matt.larson at icann.org>
To: "nanog at nanog.org" <nanog at nanog.org>
Subject: Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC

The root zone management partners, ICANN and Verisign, are working
together to change the DNS root zone's key-signing key (KSK). This
process is referred to as "rolling" the root zone KSK.

The root zone's apex DNSKEY RRset has been signed with the same KSK,
known as KSK-2010, since the root zone was first signed in July, 2010.
On October 11, 2017, at approximately 1600 UTC, the root zone will be
published with the apex DNSKEY RRset signed for the first time with a
new KSK, known as KSK-2017. The root zone apex DNSKEY RRset will be
signed with only KSK-2017 going forward.

While the specific date of the KSK rollover, October 11, 2017, had been
announced previously, the time of 1600 UTC on that day has not been
announced until now, which is the primary purpose of this message.

The public portion of the root zone KSK is configured as a trust anchor
in software performing DNSSEC validation. The configuration of any
software performing DNSSEC validation will need to be updated to
reference KSK-2017 on or before October 11, 2017, or all DNS responses
received by that software will fail DNSSEC validation, resulting
ultimately in error messages to end users. In many cases, software
performing DNSSEC validation supports "Automated Updates of DNS
Security", the protocol defined in RFC 5011 that can automatically
update a DNSSEC validator's trust anchor configuration. If the software
does not support this protocol, or it is incorrectly implemented or not
configured correctly, the trust anchor will need to be updated manually.

Anyone operating software performing DNSSEC validation with the root
zone KSK configured as a trust anchor must take action on or before
October 11, 2017, to confirm that their software is configured with
KSK-2017 as a trust anchor and, if not, take the necessary steps to
update the configuration.

Further information about the root KSK rollover, including information
about how to check and update the trust anchor configuration of popular
recursive resolver implementations that support DNSSEC validation, is
available at https://icann.org/kskroll.

For the root zone management partners,

Matt Larson
VP of Research, ICANN

Duane Wessels
Distinguished Engineer, Verisign




----- End forwarded message -----