[lacnog] Fwd: [DNSOP] Root zone KSK-2010 is now revoked

Nicolas Antoniello nantoniello en gmail.com
Vie Ene 11 12:13:09 -02 2019


---------- Mensaje reenviado ---------
De: Matt Larson
Fecha: El vie, 11 de ene. de 2019 a las 12:08
Asunto: [DNSOP] Root zone KSK-2010 is now revoked
Para: dnsop

Dear colleagues,

A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone
management partner, Verisign, published root zone serial number 2019011100
with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has
changed from 19036 to 19164. In addition, the root DNSKEY RRset is now
signed with two KSKs: the current KSK (KSK-2017) as well as the former KSK
(KSK-2010). The second signature is required by RFC 5011 to prove
possession of KSK-2010's private key to assert the revocation. This second
signature makes the response to a query for the root zone's DNSKEY RRset
increase in size from 1414 bytes to 1425 bytes.

We don't expect any operational issues from this change. The DNSKEY RRset
size increase is small, and other zones currently publish considerably
larger apex DNSKEY RRsets without apparent issue. In addition, because
KSK-2010 has not been used for signing since the root KSK rollover to
KSK-2017 on 11 October 2018, no DNSSEC validators that are currently
validating correctly can be depending on it.

Nevertheless, please let us know if you suspect any issues or have any

May we also suggest subscribing to ksk-rollover en icann.org to receive
announcements and participate in discussion about the KSK rollover process
in particular and DNSSEC in the root zone in general.

For the root zone management partners,

Matt Larson, VP of Research
ICANN Office of the CTO
matt.larson en icann.org

DNSOP mailing list
DNSOP en ietf.org
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20190111/3d116ab3/attachment.html>

Más información sobre la lista de distribución LACNOG