-------- Forwarded Message --------
Dear Colleagues,
We are reaching out to inform you of important changes to the
DNSSEC trust anchor in the root zone. If you manage a validating
DNS resolver or a tool that interacts with the DNS root zone you
might need to change your software to handle the changes. This
letter provides a summary of the upcoming changes and gives
pointers to resources that describe them in detail.
*Upcoming addition of the KSK-2024 trust anchor*
On January 11, 2025, a new trust anchor, codenamed KSK-2024, will
appear in the root zone for the global DNS. This key was generated
earlier this year and will co-exist with the current trust anchor,
codenamed KSK-2017. The new DNSKEY record is:
. 172800 IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/c
idltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHb
GiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+s
iFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqp
dVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ
1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUe
ayffKC73PYc=
As a result of this addition, some DNS responses may be larger
during the transition period. If your software uses the RFC 5011
process for managing trust anchors, KSK-2024 will be automatically
trusted about one month after its introduction to the root zone.
There are two important planned dates:
* October 11, 2026: KSK-2024 will begin signing the root zone.
* January 11, 2027: KSK-2017 is scheduled to be revoked.
For a detailed description of the rollover process, please refer
to
https://www.iana.org/dnssec/files
*New trust anchor file*
IANA has issued a new trust anchor file using the updated XML
format described in
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ ,
which has recently been approved to be published as an RFC. The
new trust anchor file contains additional data that was not
provided in previous versions of the file.
If your software or processes use the IANA trust anchor file
(published at
https://data.iana.org/root-anchors/root-anchors.xml
), you should ensure you have processes to retrieve it regularly
(such as weekly) and check your systems can process the revised
format of the file.
*Keep in touch*
Operational announcements regarding trust anchors and rollovers
are published on the root-dnssec-announce mailing list at
https://lists.icann.org/postorius/lists/root-dnssec-announce.icann.org/
. A separate ksk-rollover mailing list is a forum for discussion
specific to rollovers can be found at
https://lists.icann.org/postorius/lists/ksk-rollover.icann.org/ .
Best regards,
--
Andres Pavez Cryptographic Key Manager
_______________________________________________
LACNOG mailing list
LACNOG@lacnic.net
https://mail.lacnic.net/mailman/listinfo/lacnog
Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog