[dns-esp] Fwd: Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC
Importante!!!, deifncion del horario para el cambio en la zona raiz.
Saludos. Luciano.
---------- Forwarded message ---------- From: Matt Larson matt.larson@icann.org Date: 2017-09-20 14:25 GMT-03:00 Subject: Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC To: "root-dnssec-announce@iana.org" root-dnssec-announce@iana.org
The root zone management partners, ICANN and Verisign, are working together to change the DNS root zone's key-signing key (KSK). This process is referred to as "rolling" the root zone KSK.
The root zone's apex DNSKEY RRset has been signed with the same KSK, known as KSK-2010, since the root zone was first signed in July, 2010. On October 11, 2017, at approximately 1600 UTC, the root zone will be published with the apex DNSKEY RRset signed for the first time with a new KSK, known as KSK-2017. The root zone apex DNSKEY RRset will be signed with only KSK-2017 going forward.
While the specific date of the KSK rollover, October 11, 2017, had been announced previously, the time of 1600 UTC on that day has not been announced until now, which is the primary purpose of this message.
The public portion of the root zone KSK is configured as a trust anchor in software performing DNSSEC validation. The configuration of any software performing DNSSEC validation will need to be updated to reference KSK-2017 on or before October 11, 2017, or all DNS responses received by that software will fail DNSSEC validation, resulting ultimately in error messages to end users. In many cases, software performing DNSSEC validation supports "Automated Updates of DNS Security", the protocol defined in RFC 5011 that can automatically update a DNSSEC validator's trust anchor configuration. If the software does not support this protocol, or it is incorrectly implemented or not configured correctly, the trust anchor will need to be updated manually.
Anyone operating software performing DNSSEC validation with the root zone KSK configured as a trust anchor must take action on or before October 11, 2017, to confirm that their software is configured with KSK-2017 as a trust anchor and, if not, take the necessary steps to update the configuration.
Further information about the root KSK rollover, including information about how to check and update the trust anchor configuration of popular recursive resolver implementations that support DNSSEC validation, is available at https://icann.org/kskroll.
For the root zone management partners,
Matt Larson VP of Research, ICANN
Duane Wessels Distinguished Engineer, Verisign
root-dnssec-announce mailing list root-dnssec-announce@icann.org https://mm.icann.org/mailman/listinfo/root-dnssec-announce
Cierto!
Y a todo esto... se nos pasó por alto que alguien en esta lista mencionara que alcanzamos los 1414 bytes de respuesta para la zona raíz (justo debajo del temído límite de 1500 de MTU)
$ dig @l.root-servers.net . DNSKEY +dnssec +multi +stats
; <<>> DiG 9.11.2 <<>> @l.root-servers.net . DNSKEY +dnssec +multi +stats ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35173 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY
;; ANSWER SECTION: . 172800 IN DNSKEY 256 3 8 ( AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjl p4f81ZGQK42HNxSfkiSahinPR3t0YQhjC393NX4TorSi TJy76TBWddNOkC/IaGqcb4erU+nQ75k2Lf0oIpA7qTCk 3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH5FtfxhUq yTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknH uO1jVAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3 +pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUzIHIMWZRFA jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM= ) ; ZSK; alg = RSASHA256 ; key id = 15768 . 172800 IN DNSKEY 256 3 8 ( AwEAAcRIZfxskdElMKgjwvWQO2bQe7EGAvX6zgIaqmbs aMqmMrIpd1+bP7nyULLuL8jWnKAqcaVfal2yJD50gg5z Fl5yW/F9dKNXXEFI7VEcGrPyG6/OrA9RBU8pGWm0qxps Nm5UIgTU5IX7pb/0rBj67c/R7qln8sjH1ylsr4f1Y3R6 p/druiEalKasEjGKA9L2w9jzUQusWxM7fQx/T8c/3x3b sjveD1dleQ6MJaCx4bpPXYZpqXmSvGn+T2v5350cBVAF qVKhGbjxEyXAweem8cTU4L1p+DV7Ua11a1tMf0Tlu8pk pLwh7NQIggIEhJwEhPeXE3E4C6Q2/PFENcoFERc= ) ; ZSK; alg = RSASHA256 ; key id = 46809 . 172800 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256 ; key id = 19036 . 172800 IN DNSKEY 257 3 8 ( AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8 efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; KSK; alg = RSASHA256 ; key id = 20326 . 172800 IN RRSIG DNSKEY 8 0 172800 ( 20171010000000 20170919000000 19036 . G1B0YY5YGCRtT3HuZhR6/ivgiiZ5uBSkPri6Mrhz6lZt JeQMeIPiIlAO+Y8jEkurNYPL4Gk1kaprSKBbKnB3joIe GHGBBRiKYgS0cQk/NWuEX9JfLtW0RwZhrXTN7JsH15/W EjFQkH0LnR+R3WUFH8uHR4kxLFKztKDSZoNf+PR7pa8P K98YcjSW7rZcTV70V3daSwQTeJIpXpUhVUGXXju9WN0c RVVYCk7sRteUqKqJQxLBAlzYQX2CgPhZOTypqJxzj12e 9Y/9WPGkBLqfxHms0c/Om+NO5WhNNONLdoXX8Yw4okFC podGUO/UMrgM4qm7SWxXkjZwedzDZFJpYA== )
;; Query time: 101 msec ;; SERVER: 2001:500:9f::42#53(2001:500:9f::42) ;; WHEN: Wed Sep 20 16:23:50 UYT 2017 ;; MSG SIZE rcvd: 1414
On Wed, Sep 20, 2017 at 4:22 PM, Luciano Minuchin < luciano.minuchin@gmail.com> wrote:
Importante!!!, deifncion del horario para el cambio en la zona raiz.
Saludos. Luciano.
---------- Forwarded message ---------- From: Matt Larson matt.larson@icann.org Date: 2017-09-20 14:25 GMT-03:00 Subject: Operational message: DNS root zone KSK rollover to occur on October 11, 2017 at 1600 UTC To: "root-dnssec-announce@iana.org" root-dnssec-announce@iana.org
The root zone management partners, ICANN and Verisign, are working together to change the DNS root zone's key-signing key (KSK). This process is referred to as "rolling" the root zone KSK.
The root zone's apex DNSKEY RRset has been signed with the same KSK, known as KSK-2010, since the root zone was first signed in July, 2010. On October 11, 2017, at approximately 1600 UTC, the root zone will be published with the apex DNSKEY RRset signed for the first time with a new KSK, known as KSK-2017. The root zone apex DNSKEY RRset will be signed with only KSK-2017 going forward.
While the specific date of the KSK rollover, October 11, 2017, had been announced previously, the time of 1600 UTC on that day has not been announced until now, which is the primary purpose of this message.
The public portion of the root zone KSK is configured as a trust anchor in software performing DNSSEC validation. The configuration of any software performing DNSSEC validation will need to be updated to reference KSK-2017 on or before October 11, 2017, or all DNS responses received by that software will fail DNSSEC validation, resulting ultimately in error messages to end users. In many cases, software performing DNSSEC validation supports "Automated Updates of DNS Security", the protocol defined in RFC 5011 that can automatically update a DNSSEC validator's trust anchor configuration. If the software does not support this protocol, or it is incorrectly implemented or not configured correctly, the trust anchor will need to be updated manually.
Anyone operating software performing DNSSEC validation with the root zone KSK configured as a trust anchor must take action on or before October 11, 2017, to confirm that their software is configured with KSK-2017 as a trust anchor and, if not, take the necessary steps to update the configuration.
Further information about the root KSK rollover, including information about how to check and update the trust anchor configuration of popular recursive resolver implementations that support DNSSEC validation, is available at https://icann.org/kskroll.
For the root zone management partners,
Matt Larson VP of Research, ICANN
Duane Wessels Distinguished Engineer, Verisign
root-dnssec-announce mailing list root-dnssec-announce@icann.org https://mm.icann.org/mailman/listinfo/root-dnssec-announce
dns-esp mailing list dns-esp@listas.nic.cl https://listas.nic.cl/mailman/listinfo/dns-esp
On 16:26 20/09, Mauricio Vergara Ereche wrote:
Cierto!
Y a todo esto... se nos pasó por alto que alguien en esta lista mencionara que alcanzamos los 1414 bytes de respuesta para la zona raíz (justo debajo del temído límite de 1500 de MTU)
Pero también está el temido 1280 de IPv6 :) y de hecho a y j, ambos de Verisign, están dando truncados y obligando el retry por TCP. El resto funciona impecable sobre UDP en v4 y v6.
Supongo que lo de Verisign es a propósito. Creo que igual tiene sentido para los resolvers que no sepan hacer retry por TCP por sí solos, o que esperen demasiado. Al menos esas dos letras seguirán funcionando.
Hugo
-
Hugo Salgado-Hernández -
Luciano Minuchin -
Mauricio Vergara Ereche