Well done Matt and others! Appreciate your work! Patrik
On 12 Jan 2019, at 0:07, Matt Larson wrote: > Dear colleagues, > > A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone > management partner, Verisign, published root zone serial number 2019011100 > with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has changed > from 19036 to 19164. In addition, the root DNSKEY RRset is now signed with > two KSKs: the current KSK (KSK-2017) as well as the former KSK (KSK-2010). > The second signature is required by RFC 5011 to prove possession of > KSK-2010's private key to assert the revocation. This second signature makes > the response to a query for the root zone's DNSKEY RRset increase in size > from 1414 bytes to 1425 bytes. > > We don't expect any operational issues from this change. The DNSKEY RRset > size increase is small, and other zones currently publish considerably larger > apex DNSKEY RRsets without apparent issue. In addition, because KSK-2010 has > not been used for signing since the root KSK rollover to KSK-2017 on 11 > October 2018, no DNSSEC validators that are currently validating correctly > can be depending on it. > > Nevertheless, please let us know if you suspect any issues or have any > questions. > > May we also suggest subscribing to ksk-rollo...@icann.org to receive > announcements and participate in discussion about the KSK rollover process in > particular and DNSSEC in the root zone in general. > > For the root zone management partners, > > Matt > -- > Matt Larson, VP of Research > ICANN Office of the CTO > matt.lar...@icann.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
