Colleagues, This is a follow-up to the operational announcement regarding changes to the ARPA top-level domain that was sent on 2010-03-10. Apologies in advance for duplicates received through different mailing lists.
As of 2010-03-17 1630 UTC all the authoritative servers for ARPA are serving a signed ARPA zone. We would like to solicit feedback from the technical community to allow us to identify any operational ill-effects that this change has caused. We will monitor this mailing list for feedback, and I will also distribute any feedback sent to me personally so that it can be considered. If no harmful effects have been identified by 2010-03-21 the trust anchor for the ARPA zone will be published through the IANA ITAR at <https://itar.iana.org/>. Regards, Joe Begin forwarded message: > From: Joe Abley <joe.ab...@icann.org> > Date: 10 March 2010 16:13:46 EST > To: Joe Abley <joe.ab...@icann.org> > Subject: Signing of the ARPA zone > > Colleagues, > > This is a technical, operational announcement regarding changes to the ARPA > top-level domain. Apologies in advance for duplicates received through > different mailing lists. > > No specific action is requested of operators. This message is for your > information only. > > The ARPA zone is about to be signed using DNSSEC. The technical parameters by > which ARPA will be signed are as follows: > > KSK Algorithm and Size: 2048 bit RSA > KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011 > KSK Signature Algorithm: SHA-256 > Validity period for signatures made with KSK: 15 days; new signatures > published every 10 days > ZSK Algorithm and Size: 1024 bit RSA > ZSK Rollover: every 3 months > ZSK Signature Algorithm: SHA-256 > Authenticated proof of non-existence: NSEC > Validity period for signatures made with ZSK: 7 days; zone generated and > re-signed twice per day > > The twelve root server operators [1] will begin to serve a signed ARPA zone > instead of the (current) unsigned ARPA zone during a maintenance window which > will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual > root server operators will carry out their maintenance at times within that > window according to their own operational preference. > > The trust anchor for the ARPA zone will be published in the ITAR [2], and in > the root zone in the form of a DS record once the root zone is signed. > > If you have any concerns or require further information, please let me know. > > Regards, > > > Joe Abley > Director DNS Operations, ICANN > > [1] <http://www.root-servers.org/> > [2] <https://itar.iana.org/>
