Well done Matt and others! Appreciate your work!

   Patrik

On 12 Jan 2019, at 0:07, Matt Larson wrote:

> Dear colleagues,
>
> A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone 
> management partner, Verisign, published root zone serial number 2019011100 
> with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has changed 
> from 19036 to 19164. In addition, the root DNSKEY RRset is now signed with 
> two KSKs: the current KSK (KSK-2017) as well as the former KSK (KSK-2010). 
> The second signature is required by RFC 5011 to prove possession of 
> KSK-2010's private key to assert the revocation. This second signature makes 
> the response to a query for the root zone's DNSKEY RRset increase in size 
> from 1414 bytes to 1425 bytes.
>
> We don't expect any operational issues from this change. The DNSKEY RRset 
> size increase is small, and other zones currently publish considerably larger 
> apex DNSKEY RRsets without apparent issue. In addition, because KSK-2010 has 
> not been used for signing since the root KSK rollover to KSK-2017 on 11 
> October 2018, no DNSSEC validators that are currently validating correctly 
> can be depending on it.
>
> Nevertheless, please let us know if you suspect any issues or have any 
> questions.
>
> May we also suggest subscribing to ksk-rollo...@icann.org to receive 
> announcements and participate in discussion about the KSK rollover process in 
> particular and DNSSEC in the root zone in general.
>
> For the root zone management partners,
>
> Matt
> --
> Matt Larson, VP of Research
> ICANN Office of the CTO
> matt.lar...@icann.org
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to