[lacnog] Signing of the ARPA zone

Hugo Salgado Hernandez hsalgado en nic.cl
Lun Mar 22 21:57:40 BRT 2010 

Hola Nicolás.
Es un anuncio que el top level domain ".arpa" empezó a firmar su zona
con dnssec. Como es un dominio crítico (se consulta para obtener los
reversos) es importante ir con cautela, determinando si todo sigue
funcionando bien.

Dentro de las pruebas está desde hacer un comando
  % host <número-IP>
para ver si obtenemos respuesta del inverso, o equivalentemente
  % dig -x <número-IP>

Para mayor detalle se puede consultar por los registros DNSSEC
relevantes:
  % dig dnskey arpa.
  % dig ns arpa. +dnssec
  % dig any aaaa.arpa. +dnssec

Lo importante es ver si el resolver es capaz de obtener las respuestas
DNS más grandes que se generan al firmar.

Una prueba más completa (aunque no relacionada específicamente con
.arpa) la puedes encontrar en
  https://www.dns-oarc.net/oarc/services/replysizetest

Saludos,

Hugo Salgado
NIC Chile - .CL


Nicolás Ruiz wrote:
> Podría alguien más familiarizado con todo este proceso comentar un poco
> sobre esto? Yo en particular estoy bien crudo, pero no sé por donde
> comenzar.
> 
> nicolás
> 
> Joe Abley wrote:
>> Colleagues,
>>
>> This is a follow-up to the operational announcement regarding changes
>> to the ARPA top-level domain that was sent on 2010-03-10. Apologies in
>> advance for duplicates received through different mailing lists.
>>
>> As of 2010-03-17 1630 UTC all the authoritative servers for ARPA are
>> serving a signed ARPA zone.
>>
>> We would like to solicit feedback from the technical community to
>> allow us to identify any operational ill-effects that this change has
>> caused. We will monitor this mailing list for feedback, and I will
>> also distribute any feedback sent to me personally so that it can be
>> considered.
>>
>> If no harmful effects have been identified by 2010-03-21 the trust
>> anchor for the ARPA zone will be published through the IANA ITAR at
>> <https://itar.iana.org/>.
>>
>> Regards,
>>
>>
>> Joe
>>
>> Begin forwarded message:
>>
>>> From: Joe Abley <joe.abley en icann.org>
>>> Date: 10 March 2010 16:13:46 EST
>>> To: Joe Abley <joe.abley en icann.org>
>>> Subject: Signing of the ARPA zone
>>>
>>> Colleagues,
>>>
>>> This is a technical, operational announcement regarding changes to
>>> the ARPA top-level domain. Apologies in advance for duplicates
>>> received through different mailing lists.
>>>
>>> No specific action is requested of operators. This message is for
>>> your information only.
>>>
>>> The ARPA zone is about to be signed using DNSSEC. The technical
>>> parameters by which ARPA will be signed are as follows:
>>>
>>> KSK Algorithm and Size: 2048 bit RSA
>>> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
>>> KSK Signature Algorithm: SHA-256
>>> Validity period for signatures made with KSK: 15 days; new signatures
>>> published every 10 days
>>> ZSK Algorithm and Size: 1024 bit RSA
>>> ZSK Rollover: every 3 months
>>> ZSK Signature Algorithm: SHA-256
>>> Authenticated proof of non-existence: NSEC
>>> Validity period for signatures made with ZSK: 7 days; zone generated
>>> and re-signed twice per day
>>>
>>> The twelve root server operators [1] will begin to serve a signed
>>> ARPA zone instead of the (current) unsigned ARPA zone during a
>>> maintenance window which will open at 2010-03-15 0001 UTC and close
>>> at 2010-03-17 2359 UTC. Individual root server operators will carry
>>> out their maintenance at times within that window according to their
>>> own operational preference.
>>>
>>> The trust anchor for the ARPA zone will be published in the ITAR [2],
>>> and in the root zone in the form of a DS record once the root zone is
>>> signed.
>>>
>>> If you have any concerns or require further information, please let
>>> me know.
>>>
>>> Regards,
>>>
>>>
>>> Joe Abley
>>> Director DNS Operations, ICANN
>>>
>>> [1] <http://www.root-servers.org/>
>>> [2] <https://itar.iana.org/>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>
> 
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog

Más información sobre la lista de distribución LACNOG