JISCMail - TB-SUPPORT Archives

Dear colleagues,

This is a heads-up for anybody who is either running DNSSEC-validating DNS resolvers or is using DNS resolvers that are performing DNSSEC validation.

The root zone of the DNS can currently be validated with either of two private keys:

KSK-2010 (which was generated in 2010 and has been used since public DNSSEC deployment to sign the root ZSK).
KSK-2017 (which was generated in 2017 and has been simultaneously used alongside KSK-2010 to sign the root ZSK).

Prior to Thursday 11th October 2018, both sets of signed ZSKs are published in the root zone which means that any DNS resolver which performs DNSSEC validation will function correctly as long as it has at least one of the two currently valid trust anchors (read: public exponents of the relevant keys) installed.

At this time, any properly configured DNS resolver performing DNSSEC validation should be validating signatures generated by KSK-2017 instead of validating signatures generated by KSK-2010.

On Thursday 11th October at 4PM UTC, the root ZSK signatures generated by KSK-2010 will cease to be published in the root zone and only the root ZSK signatures generated by KSK-2017 will be published in the root zone going forwards.

As a result of this, any DNS resolver which performs DNSSEC validation which is only configured with KSK-2010 as a valid trust anchor will fail to resolve any DNS queries as they will be considered 'bogus' (and by definition, a DNSSEC-validating resolver will not pass bogus results to clients).

The following links serve to provide further information as to what to do next and to potentially educate those who are operating your centrally-administered DNS resolvers:

https://www.icann.org/resources/press-material/release-2018-09-18-en

News Release: Board Approval of KSK Roll - ICANN

www.icann.org

LOS ANGELES – 18 September 2018 –The Board of Directors for the Internet Corporation of Assigned Names and Numbers (ICANN) has approved plans for the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) - the Internet's address book. During a 16 September ...

https://www.icann.org/resources/pages/ksk-rollover

Root Zone KSK Rollover - ICANN

www.icann.org

Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"".

Any DNS issues experienced on Thursday 11th October may need to be subject to closer scrutiny than usual to determine whether the fault has been caused by failure to install the new trust anchor in your DNS resolvers.

If your DNS resolvers are not performing DNSSEC validation, you do not need to take any action.

Please feel free to distribute this message further to any colleagues who may not be subscribed to this list but for whom you feel the content may be relevant.

Thanks in advance!

Regards,

Terry

Terry Froy

Cluster Systems Manager, Particle Physics

Queen Mary University of London

Tel: +44 (0)207 882 6560

E-mail: [log in to unmask]