[lacnog] Fwd: [Lista ArNOG] Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC

Mie Sep 20 17:27:31 BRT 2017

fyi, entramos en uno de los momentos de la rotación de la KSK en la 
cual tenemos que prestar atención al tamaño de los paquetes y posibles 
temas de fragmentación.

Forwarded message:

> From: Luciano Minuchin <luciano.minuchin en gmail.com>
> To: lista en arnog.com.ar
> Subject: [Lista ArNOG] Fwd: Operational message: DNS root zone KSK 
> rollover to occur on October 11, 2017 at 1600 UTC
> Date: Wed, 20 Sep 2017 16:21:29 -0300
>
> FYI,
>
> Ya se definió el horario en el cual se realizara esta parte del 
> cambio en
> la Zona Raiz, es uno de los mas importantes en este proceso, estén 
> atentos
> a verificar sus DNS si todavía no lo realizaron.
>
>
> Saludos
>
> Luciano.
>
>
> ---------- Forwarded message ----------
> From: Matt Larson <matt.larson en icann.org>
> Date: 2017-09-20 14:25 GMT-03:00
> Subject: Operational message: DNS root zone KSK rollover to occur on
> October 11, 2017 at 1600 UTC
> To: "root-dnssec-announce en iana.org" <root-dnssec-announce en iana.org>
>
>
> The root zone management partners, ICANN and Verisign, are working 
> together
> to change the DNS root zone's key-signing key (KSK). This process is
> referred to as "rolling" the root zone KSK.
>
> The root zone's apex DNSKEY RRset has been signed with the same KSK, 
> known
> as KSK-2010, since the root zone was first signed in July, 2010. On 
> October
> 11, 2017, at approximately 1600 UTC, the root zone will be published 
> with
> the apex DNSKEY RRset signed for the first time with a new KSK, known 
> as
> KSK-2017. The root zone apex DNSKEY RRset will be signed with only 
> KSK-2017
> going forward.
>
> While the specific date of the KSK rollover, October 11, 2017, had 
> been
> announced previously, the time of 1600 UTC on that day has not been
> announced until now, which is the primary purpose of this message.
>
> The public portion of the root zone KSK is configured as a trust 
> anchor in
> software performing DNSSEC validation. The configuration of any 
> software
> performing DNSSEC validation will need to be updated to reference 
> KSK-2017
> on or before October 11, 2017, or all DNS responses received by that
> software will fail DNSSEC validation, resulting ultimately in error
> messages to end users. In many cases, software performing DNSSEC 
> validation
> supports "Automated Updates of DNS Security", the protocol defined in 
> RFC
> 5011 that can automatically update a DNSSEC validator's trust anchor
> configuration. If the software does not support this protocol, or it 
> is
> incorrectly implemented or not configured correctly, the trust anchor 
> will
> need to be updated manually.
>
> Anyone operating software performing DNSSEC validation with the root 
> zone
> KSK configured as a trust anchor must take action on or before October 
> 11,
> 2017, to confirm that their software is configured with KSK-2017 as a 
> trust
> anchor and, if not, take the necessary steps to update the 
> configuration.
>
> Further information about the root KSK rollover, including information
> about how to check and update the trust anchor configuration of 
> popular
> recursive resolver implementations that support DNSSEC validation, is
> available at https://icann.org/kskroll.
>
> For the root zone management partners,
>
> Matt Larson
> VP of Research, ICANN
>
> Duane Wessels
> Distinguished Engineer, Verisign
>
> _______________________________________________
> root-dnssec-announce mailing list
> root-dnssec-announce en icann.org
> https://mm.icann.org/mailman/listinfo/root-dnssec-announce

> _______________________________________________
> Lista mailing list
> Lista en arnog.com.ar
> http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20170920/106705a4/attachment.html>