[lacnog] (OOT) Re: Upcoming changes to the DNSSEC root trust anchor

Javier Bustos jbustos en niclabs.cl
Jue Nov 7 07:51:32 -03 2024 

vino, borgoña y crudos

El jue, 7 nov 2024 a las 7:21, Carlos M. Martinez | LACNIC
(<carlos en lacnic.net>) escribió:
>
> O para una taberna de marineros!
>
> On Thu, 7 Nov 2024 at 12:54 AM Tomas Lynch <tomas.lynch en gmail.com> wrote:
>>
>> Insisto en que The Trust Anchor es un excelente nombre para un restorán.
>>
>> On Tue, Nov 5, 2024 at 6:04 PM Carlos M. Martinez | LACNIC <carlos en lacnic.net> wrote:
>>
>> Gracias Andres !
>>
>> On Tue, 5 Nov 2024 at 7:12 PM Andres Pavez <andres.pavez en iana.org> wrote:
>>
>> Dear Colleagues,
>>
>> We are reaching out to inform you of important changes to the DNSSEC trust anchor in the root zone. If you manage a validating DNS resolver or a tool that interacts with the DNS root zone you might need to change your software to handle the changes. This letter provides a summary of the upcoming changes and gives pointers to resources that describe them in detail.
>>
>> *Upcoming addition of the KSK-2024 trust anchor*
>>
>> On January 11, 2025, a new trust anchor, codenamed KSK-2024, will appear in the root zone for the global DNS. This key was generated earlier this year and will co-exist with the current trust anchor, codenamed KSK-2017. The new DNSKEY record is:
>>
>> . 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/c idltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHb GiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+s iFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqp dVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ 1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUe
>> ayffKC73PYc=
>>
>> As a result of this addition, some DNS responses may be larger during the transition period. If your software uses the RFC 5011 process for managing trust anchors, KSK-2024 will be automatically trusted about one month after its introduction to the root zone. There are two important planned dates:
>>
>> * October 11, 2026: KSK-2024 will begin signing the root zone.
>> * January 11, 2027: KSK-2017 is scheduled to be revoked.
>>
>> For a detailed description of the rollover process, please refer to https://www.iana.org/dnssec/files
>>
>> *New trust anchor file*
>>
>> IANA has issued a new trust anchor file using the updated XML format described in https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ , which has recently been approved to be published as an RFC. The new trust anchor file contains additional data that was not provided in previous versions of the file.
>>
>> If your software or processes use the IANA trust anchor file (published at https://data.iana.org/root-anchors/root-anchors.xml ), you should ensure you have processes to retrieve it regularly (such as weekly) and check your systems can process the revised format of the file.
>>
>> *Keep in touch*
>>
>> Operational announcements regarding trust anchors and rollovers are published on the root-dnssec-announce mailing list at https://lists.icann.org/postorius/lists/root-dnssec-announce.icann.org/ . A separate ksk-rollover mailing list is a forum for discussion specific to rollovers can be found at https://lists.icann.org/postorius/lists/ksk-rollover.icann.org/ .
>>
>> Best regards,
>> --
>> Andres Pavez
>> Cryptographic Key Manager
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog

Más información sobre la lista de distribución LACNOG