[lacnog] Fwd: [ksk-rollover] Root zone KSK-2010 is now revoked

Carlos M. Martinez carlosm3011 en gmail.com
Vie Ene 11 12:11:33 -02 2019


FYI,

Este es el último (o penúltimo más bien :-) ) paso en el ciclo de la 
rotación de la KSK.

Si bien ya nadie debería depender de esto para nada, obsérvese que 
cambia el key-tag de la KSK-2010.

s2

/Carlos

Forwarded message:

> From: Matt Larson <matt.larson en icann.org>
> To: ksk-rollover en icann.org
> Subject: [ksk-rollover] Root zone KSK-2010 is now revoked
> Date: Fri, 11 Jan 2019 14:02:05 +0000
>
> Dear colleagues,
>
> A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root 
> zone management partner, Verisign, published root zone serial number 
> 2019011100 with the RFC 5011 REVOKE bit set. As a result, KSK-2010's 
> key tag has changed from 19036 to 19164. In addition, the root DNSKEY 
> RRset is now signed with two KSKs: the current KSK (KSK-2017) as well 
> as the former KSK (KSK-2010). The second signature is required by RFC 
> 5011 to prove possession of KSK-2010's private key to assert the 
> revocation. This second signature makes the response to a query for 
> the root zone's DNSKEY RRset increase in size from 1414 bytes to 1425 
> bytes.
>
> We don't expect any operational issues from this change. The DNSKEY 
> RRset size increase is small, and other zones currently publish 
> considerably larger apex DNSKEY RRsets without apparent issue. In 
> addition, because KSK-2010 has not been used for signing since the 
> root KSK rollover to KSK-2017 on 11 October 2018, no DNSSEC validators 
> that are currently validating correctly can be depending on it.
>
> Nevertheless, please let us know if you suspect any issues or have any 
> questions.
>
> For the root zone management partners,
>
> Matt
> --
> Matt Larson, VP of Research
> ICANN Office of the CTO
> matt.larson en icann.org
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover en icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover


Más información sobre la lista de distribución LACNOG