Upcoming changes to the DNSSEC root trust anchor

2024-11-06 Thread Andres Pavez 
Dear Colleagues,

We are reaching out to inform you of important changes to the DNSSEC trust 
anchor in the root zone. If you manage a validating DNS resolver or a tool that 
interacts with the DNS root zone you might need to change your software to 
handle the changes. This letter provides a summary of the upcoming changes and 
gives pointers to resources that describe them in detail.

*Upcoming addition of the KSK-2024 trust anchor*

On January 11, 2025, a new trust anchor, codenamed KSK-2024, will appear in the 
root zone for the global DNS. This key was generated earlier this year and will 
co-exist with the current trust anchor, codenamed KSK-2017. The new DNSKEY 
record is:

. 172800 IN DNSKEY 257 3 8 
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/c 
idltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHb 
GiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+s 
iFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqp 
dVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ 
1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUe 
ayffKC73PYc=

As a result of this addition, some DNS responses may be larger during the 
transition period. If your software uses the RFC 5011 process for managing 
trust anchors, KSK-2024 will be automatically trusted about one month after its 
introduction to the root zone. There are two important planned dates:

* October 11, 2026: KSK-2024 will begin signing the root zone.
* January 11, 2027: KSK-2017 is scheduled to be revoked.

For a detailed description of the rollover process, please refer to 
https://www.iana.org/dnssec/files 

*New trust anchor file*

IANA has issued a new trust anchor file using the updated XML format described 
in https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ , which has 
recently been approved to be published as an RFC. The new trust anchor file 
contains additional data that was not provided in previous versions of the file.

If your software or processes use the IANA trust anchor file (published at 
https://data.iana.org/root-anchors/root-anchors.xml ), you should ensure you 
have processes to retrieve it regularly (such as weekly) and check your systems 
can process the revised format of the file.

*Keep in touch*

Operational announcements regarding trust anchors and rollovers are published 
on the root-dnssec-announce mailing list at 
https://lists.icann.org/postorius/lists/root-dnssec-announce.icann.org/ . A 
separate ksk-rollover mailing list is a forum for discussion specific to 
rollovers can be found at 
https://lists.icann.org/postorius/lists/ksk-rollover.icann.org/ .

Best regards,
-- 
Andres Pavez 
Cryptographic Key Manager 


smime.p7s
Description: S/MIME cryptographic signature

Re: [Ext] Reminder: New KSK Publication in DNS Root Zone

2025-01-07 Thread Andres Pavez 
Please note that there is a mistake with the time in my previous email. 
The new Key Signing Key (KSK) will be published in the DNS root zone on January 
11 around 06:00 UTC, not 00:00 UTC as originally stated.
Best regards,
-- 
Andres Pavez 
Cryptographic Key Manager 


On 1/7/25, 11:59, "NANOG on behalf of Andres Pavez" 
mailto:iana@nanog.org> on 
behalf of andres.pa...@iana.org <mailto:andres.pa...@iana.org>> wrote:


This is a reminder that the new Key Signing Key (KSK) will be published in the 
DNS root zone starting January 11 at 00:00:00 UTC.


This will start the process of adoption of this trust anchor in RFC 5011 aware 
resolvers. We encourage operators to pay attention during this process to 
monitor for any unexpected consequences. 


Publishing the KSK is part of the process of ensuring widespread adoption of 
the KSK prior to its use in signing, currently scheduled for October 2026.


For more details, please visit: https://www.iana.org/dnssec/files 
<https://www.iana.org/dnssec/files> 


Thanks,
-- 
Andres Pavez 
Cryptographic Key Manager 










smime.p7s
Description: S/MIME cryptographic signature

Reminder: New KSK Publication in DNS Root Zone

2025-01-07 Thread Andres Pavez 
This is a reminder that the new Key Signing Key (KSK) will be published in the 
DNS root zone starting January 11 at 00:00:00 UTC.

This will start the process of adoption of this trust anchor in RFC 5011 aware 
resolvers. We encourage operators to pay attention during this process to 
monitor for any unexpected consequences. 

Publishing the KSK is part of the process of ensuring widespread adoption of 
the KSK prior to its use in signing, currently scheduled for October 2026.

For more details, please visit: https://www.iana.org/dnssec/files 

Thanks,
-- 
Andres Pavez 
Cryptographic Key Manager 





smime.p7s
Description: S/MIME cryptographic signature