[Lista ArNOG] Fwd: Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC

Luciano Minuchin luciano.minuchin en gmail.com
Mie Sep 20 16:21:29 ART 2017


FYI,

Ya se definió el horario en el cual se realizara esta parte del cambio en
la Zona Raiz, es uno de los mas importantes en este proceso, estén atentos
a verificar sus DNS si todavía no lo realizaron.


Saludos

Luciano.


---------- Forwarded message ----------
From: Matt Larson <matt.larson en icann.org>
Date: 2017-09-20 14:25 GMT-03:00
Subject: Operational message: DNS root zone KSK rollover to occur on
October 11, 2017 at 1600 UTC
To: "root-dnssec-announce en iana.org" <root-dnssec-announce en iana.org>


The root zone management partners, ICANN and Verisign, are working together
to change the DNS root zone's key-signing key (KSK). This process is
referred to as "rolling" the root zone KSK.

The root zone's apex DNSKEY RRset has been signed with the same KSK, known
as KSK-2010, since the root zone was first signed in July, 2010. On October
11, 2017, at approximately 1600 UTC, the root zone will be published with
the apex DNSKEY RRset signed for the first time with a new KSK, known as
KSK-2017. The root zone apex DNSKEY RRset will be signed with only KSK-2017
going forward.

While the specific date of the KSK rollover, October 11, 2017, had been
announced previously, the time of 1600 UTC on that day has not been
announced until now, which is the primary purpose of this message.

The public portion of the root zone KSK is configured as a trust anchor in
software performing DNSSEC validation. The configuration of any software
performing DNSSEC validation will need to be updated to reference KSK-2017
on or before October 11, 2017, or all DNS responses received by that
software will fail DNSSEC validation, resulting ultimately in error
messages to end users. In many cases, software performing DNSSEC validation
supports "Automated Updates of DNS Security", the protocol defined in RFC
5011 that can automatically update a DNSSEC validator's trust anchor
configuration. If the software does not support this protocol, or it is
incorrectly implemented or not configured correctly, the trust anchor will
need to be updated manually.

Anyone operating software performing DNSSEC validation with the root zone
KSK configured as a trust anchor must take action on or before October 11,
2017, to confirm that their software is configured with KSK-2017 as a trust
anchor and, if not, take the necessary steps to update the configuration.

Further information about the root KSK rollover, including information
about how to check and update the trust anchor configuration of popular
recursive resolver implementations that support DNSSEC validation, is
available at https://icann.org/kskroll.

For the root zone management partners,

Matt Larson
VP of Research, ICANN

Duane Wessels
Distinguished Engineer, Verisign

_______________________________________________
root-dnssec-announce mailing list
root-dnssec-announce en icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/lista/attachments/20170920/9a7e1f96/attachment.html>


Más información sobre la lista de distribución Lista