Great work Matt & ICANN Team! That now officially ends my legacy in the DNS world ;-)
On Fri, Jan 11, 2019 at 9:07 AM Matt Larson <matt.lar...@icann.org> wrote: > Dear colleagues, > > A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone > management partner, Verisign, published root zone serial number 2019011100 > with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has > changed from 19036 to 19164. In addition, the root DNSKEY RRset is now > signed with two KSKs: the current KSK (KSK-2017) as well as the former KSK > (KSK-2010). The second signature is required by RFC 5011 to prove > possession of KSK-2010's private key to assert the revocation. This second > signature makes the response to a query for the root zone's DNSKEY RRset > increase in size from 1414 bytes to 1425 bytes. > > We don't expect any operational issues from this change. The DNSKEY RRset > size increase is small, and other zones currently publish considerably > larger apex DNSKEY RRsets without apparent issue. In addition, because > KSK-2010 has not been used for signing since the root KSK rollover to > KSK-2017 on 11 October 2018, no DNSSEC validators that are currently > validating correctly can be depending on it. > > Nevertheless, please let us know if you suspect any issues or have any > questions. > > May we also suggest subscribing to ksk-rollo...@icann.org to receive > announcements and participate in discussion about the KSK rollover process > in particular and DNSSEC in the root zone in general. > > For the root zone management partners, > > Matt > -- > Matt Larson, VP of Research > ICANN Office of the CTO > matt.lar...@icann.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
