Keyboard Shortcuts
Thread View
j: Next unread messagek: Previous unread messagej a: Jump to all threadsj l: Jump to MailingList overview
[pacnog] Important dates for DNS Key Signing Key Rollover
Dear PacNOG list members,
The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
What does that mean?
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.
Why do you need to prepare?
Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover. If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet.
How to know if your systems are up-to-date?
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest.
What is the timeline for this process? October 27, 2016: KSK rollover process begins as the new KSK is generated. July 11, 2017: Publication of new KSK in DNS. September 19, 2017: Size increase for DNSKEY response from root name servers. October 11, 2017: New KSK begins to sign the root zone key set (the actual rollover event). January 11, 2018: Revocation of old KSK. March 22, 2018: Last day the old KSK appears in the root zone. August 2018: Old key is deleted from equipment in both ICANN Key Management Facilities.
More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover.
We are happy to have a call with you shall you have any questions or feedback.
Thank you,
Save vocea
VP, Global Stakeholder Engagement, Oceania
ICANN
Hi Save,
For us who are relying on public DNS like Google DNS as our forward DNS. Are we going to be affected? I wish to learn DNSSEC to enforce our own network security.
Thank you for the update.
On Tue, Sep 12, 2017 at 3:54 PM, Save Vocea save.vocea@icann.org wrote:
Dear PacNOG list members,
The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
*What does that mean?*
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.
*Why do you need to prepare?*
Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover. If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet.
*How to know if your systems are up-to-date?*
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest.
*What is the timeline for this process?*
- *October 27, 2016:* KSK rollover process begins as the new KSK is
generated.
- *July 11, 2017:* Publication of new KSK in DNS.
- *September 19, 2017:* Size increase for DNSKEY response from root
name servers.
- *October 11, 2017:* New KSK begins to sign the root zone key set
(the actual rollover event).
- *January 11, 2018:* Revocation of old KSK.
- *March 22, 2018:* Last day the old KSK appears in the root zone.
- *August 2018:* Old key is deleted from equipment in both ICANN Key
Management Facilities.
More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover.
We are happy to have a call with you shall you have any questions or feedback.
Thank you,
*Save vocea*
VP, Global Stakeholder Engagement, Oceania
ICANN
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
Hello Tarau,
Google DNS does DNSSEC validation, and we can be certain that the folks at Google will make sure that their public DNS servers will get the new key. In that sense, you are not affected.
If you happen to be using a local DNS resolver, which is strongly recommended, and DNSSEC validation is enabled on it (most do by default nowadays), then it would normally pick up the new keys automatically, following the process described in RFC5011 (https://tools.ietf.org/html/rfc5011).
If you want to learn more about DNSSEC, you can take a look at some of the DNS/DNSSEC trainings we (Network Startup Resource Center) have delivered in the past, for example:
https://nsrc.org/workshops/2014/nsrc-icann-nicTR-dnssec/wiki/Agenda
If you're only interested in doing DNSSEC validation, then the work is minimal - you only need to be running Windows DNS or Unbound locally, and make sure DNSSEC validation is enabled.
If you want to sign (protect) your own DNS zone data (i.e.: the domain name for your own organization), then there's a bit more work involved.
If there's more interest for a DNSSEC workshop in the PacNOG community, then people should speak up :)
Regards, Phil Regnauld Network Startup Resource Center
Tarau Bauia (tbauia) writes:
Hi Save,
For us who are relying on public DNS like Google DNS as our forward DNS. Are we going to be affected? I wish to learn DNSSEC to enforce our own network security.
Thank you for the update.
On Tue, Sep 12, 2017 at 3:54 PM, Save Vocea save.vocea@icann.org wrote:
Dear PacNOG list members,
The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
*What does that mean?*
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.
*Why do you need to prepare?*
Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover. If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet.
*How to know if your systems are up-to-date?*
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest.
*What is the timeline for this process?*
- *October 27, 2016:* KSK rollover process begins as the new KSK is
generated.
- *July 11, 2017:* Publication of new KSK in DNS.
- *September 19, 2017:* Size increase for DNSKEY response from root
name servers.
- *October 11, 2017:* New KSK begins to sign the root zone key set
(the actual rollover event).
- *January 11, 2018:* Revocation of old KSK.
- *March 22, 2018:* Last day the old KSK appears in the root zone.
- *August 2018:* Old key is deleted from equipment in both ICANN Key
Management Facilities.
More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover.
We are happy to have a call with you shall you have any questions or feedback.
Thank you,
*Save vocea*
VP, Global Stakeholder Engagement, Oceania
ICANN
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
-- Kind regards,
Tarau Bauia AUT CBD Auckland, New Zealand PH: 0211343397
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
Hi Phil,
Thank you for your clarification and I will go through link given. I really want to learn DNSSEC for our utility company - PUB Government SOE because we are having multiple solar Pv grids that are going to be of our network that require security and when it comes to expanding the infrastructure for smart billing system we should have known and have our local DNS secure and ready for the transition.
I will be grateful if there's a training offered close some where in the Pacific in the future or online YouTube to follow.
Thank you once again Phil and Save for passing on the request.
Kind regards
Tarau
On 13 Sep 2017 23:43, "Phil Regnauld" regnauld@nsrc.org wrote:
Hello Tarau,
Google DNS does DNSSEC validation, and we can be certain that the folks at Google will make sure that their public DNS servers will get the new key. In that sense, you are not affected.
If you happen to be using a local DNS resolver, which is strongly recommended, and DNSSEC validation is enabled on it (most do by default nowadays), then it would normally pick up the new keys automatically, following the process described in RFC5011 (https://tools.ietf.org/html/rfc5011).
If you want to learn more about DNSSEC, you can take a look at some of the DNS/DNSSEC trainings we (Network Startup Resource Center) have delivered in the past, for example:
https://nsrc.org/workshops/2014/nsrc-icann-nicTR-dnssec/wiki/Agenda
If you're only interested in doing DNSSEC validation, then the work is minimal - you only need to be running Windows DNS or Unbound locally, and make sure DNSSEC validation is enabled.
If you want to sign (protect) your own DNS zone data (i.e.: the domain name for your own organization), then there's a bit more work involved.
If there's more interest for a DNSSEC workshop in the PacNOG community, then people should speak up :)
Regards, Phil Regnauld Network Startup Resource Center
Tarau Bauia (tbauia) writes:
Hi Save,
For us who are relying on public DNS like Google DNS as our forward DNS. Are we going to be affected? I wish to learn DNSSEC to enforce our own network security.
Thank you for the update.
On Tue, Sep 12, 2017 at 3:54 PM, Save Vocea save.vocea@icann.org
wrote:
Dear PacNOG list members,
The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used
in
the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has
been
changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
*What does that mean?*
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who
operate
validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's
"trust
anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the
root
zone of the Internet's DNS.
*Why do you need to prepare?*
Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK
rollover. If
these validating resolvers do not have the new key when the KSK is
rolled,
end users relying on those resolvers will encounter errors and be
unable to
access the Internet.
*How to know if your systems are up-to-date?*
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process
correctly.
Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest.
*What is the timeline for this process?*
- *October 27, 2016:* KSK rollover process begins as the new KSK is
generated.
- *July 11, 2017:* Publication of new KSK in DNS.
- *September 19, 2017:* Size increase for DNSKEY response from root
name servers.
- *October 11, 2017:* New KSK begins to sign the root zone key set
(the actual rollover event).
- *January 11, 2018:* Revocation of old KSK.
- *March 22, 2018:* Last day the old KSK appears in the root zone.
- *August 2018:* Old key is deleted from equipment in both ICANN Key
Management Facilities.
More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover.
We are happy to have a call with you shall you have any questions or feedback.
Thank you,
*Save vocea*
VP, Global Stakeholder Engagement, Oceania
ICANN
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
-- Kind regards,
Tarau Bauia AUT CBD Auckland, New Zealand PH: 0211343397
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
Followup:
Actually, this is mentioned on slide 21 here:
https://www.slideshare.net/apnic/btnog-4-dnssec-key-rollover
(From btNOG 4 in Bhutan this past June).
Cheers, Phil
Tarau Bauia (tbauia) writes:
Hi Phil,
Thank you for your clarification and I will go through link given. I really want to learn DNSSEC for our utility company - PUB Government SOE because we are having multiple solar Pv grids that are going to be of our network that require security and when it comes to expanding the infrastructure for smart billing system we should have known and have our local DNS secure and ready for the transition.
I will be grateful if there's a training offered close some where in the Pacific in the future or online YouTube to follow.
Thank you once again Phil and Save for passing on the request.
Kind regards
Tarau
On 13 Sep 2017 23:43, "Phil Regnauld" regnauld@nsrc.org wrote:
Hello Tarau,
Google DNS does DNSSEC validation, and we can be certain that the folks at Google will make sure that their public DNS servers will get the new key. In that sense, you are not affected.
If you happen to be using a local DNS resolver, which is strongly recommended, and DNSSEC validation is enabled on it (most do by default nowadays), then it would normally pick up the new keys automatically, following the process described in RFC5011 (https://tools.ietf.org/html/rfc5011).
If you want to learn more about DNSSEC, you can take a look at some of the DNS/DNSSEC trainings we (Network Startup Resource Center) have delivered in the past, for example:
https://nsrc.org/workshops/2014/nsrc-icann-nicTR-dnssec/wiki/Agenda
If you're only interested in doing DNSSEC validation, then the work is minimal - you only need to be running Windows DNS or Unbound locally, and make sure DNSSEC validation is enabled.
If you want to sign (protect) your own DNS zone data (i.e.: the domain name for your own organization), then there's a bit more work involved.
If there's more interest for a DNSSEC workshop in the PacNOG community, then people should speak up :)
Regards, Phil Regnauld Network Startup Resource Center
Tarau Bauia (tbauia) writes:
Hi Save,
For us who are relying on public DNS like Google DNS as our forward DNS. Are we going to be affected? I wish to learn DNSSEC to enforce our own network security.
Thank you for the update.
On Tue, Sep 12, 2017 at 3:54 PM, Save Vocea save.vocea@icann.org
wrote:
Dear PacNOG list members,
The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used
in
the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has
been
changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
*What does that mean?*
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who
operate
validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's
"trust
anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the
root
zone of the Internet's DNS.
*Why do you need to prepare?*
Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK
rollover. If
these validating resolvers do not have the new key when the KSK is
rolled,
end users relying on those resolvers will encounter errors and be
unable to
access the Internet.
*How to know if your systems are up-to-date?*
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process
correctly.
Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest.
*What is the timeline for this process?*
- *October 27, 2016:* KSK rollover process begins as the new KSK is
generated.
- *July 11, 2017:* Publication of new KSK in DNS.
- *September 19, 2017:* Size increase for DNSKEY response from root
name servers.
- *October 11, 2017:* New KSK begins to sign the root zone key set
(the actual rollover event).
- *January 11, 2018:* Revocation of old KSK.
- *March 22, 2018:* Last day the old KSK appears in the root zone.
- *August 2018:* Old key is deleted from equipment in both ICANN Key
Management Facilities.
More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover.
We are happy to have a call with you shall you have any questions or feedback.
Thank you,
*Save vocea*
VP, Global Stakeholder Engagement, Oceania
ICANN
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
-- Kind regards,
Tarau Bauia AUT CBD Auckland, New Zealand PH: 0211343397
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
well noted
rgds
On Wed, Sep 13, 2017 at 4:43 AM, Phil Regnauld regnauld@nsrc.org wrote:
Hello Tarau,
Google DNS does DNSSEC validation, and we can be certain that the folks at Google will make sure that their public DNS servers will get the new key. In that sense, you are not affected.
If you happen to be using a local DNS resolver, which is strongly recommended, and DNSSEC validation is enabled on it (most do by default nowadays), then it would normally pick up the new keys automatically, following the process described in RFC5011 (https://tools.ietf.org/html/rfc5011).
If you want to learn more about DNSSEC, you can take a look at some of the DNS/DNSSEC trainings we (Network Startup Resource Center) have delivered in the past, for example:
https://nsrc.org/workshops/2014/nsrc-icann-nicTR-dnssec/wiki/Agenda
If you're only interested in doing DNSSEC validation, then the work is minimal - you only need to be running Windows DNS or Unbound locally, and make sure DNSSEC validation is enabled.
If you want to sign (protect) your own DNS zone data (i.e.: the domain name for your own organization), then there's a bit more work involved.
If there's more interest for a DNSSEC workshop in the PacNOG community, then people should speak up :)
Regards, Phil Regnauld Network Startup Resource Center
Tarau Bauia (tbauia) writes:
Hi Save,
For us who are relying on public DNS like Google DNS as our forward DNS. Are we going to be affected? I wish to learn DNSSEC to enforce our own network security.
Thank you for the update.
On Tue, Sep 12, 2017 at 3:54 PM, Save Vocea save.vocea@icann.org
wrote:
Dear PacNOG list members,
The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used
in
the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has
been
changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
*What does that mean?*
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who
operate
validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's
"trust
anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the
root
zone of the Internet's DNS.
*Why do you need to prepare?*
Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK
rollover. If
these validating resolvers do not have the new key when the KSK is
rolled,
end users relying on those resolvers will encounter errors and be
unable to
access the Internet.
*How to know if your systems are up-to-date?*
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process
correctly.
Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest.
*What is the timeline for this process?*
- *October 27, 2016:* KSK rollover process begins as the new KSK is
generated.
- *July 11, 2017:* Publication of new KSK in DNS.
- *September 19, 2017:* Size increase for DNSKEY response from root
name servers.
- *October 11, 2017:* New KSK begins to sign the root zone key set
(the actual rollover event).
- *January 11, 2018:* Revocation of old KSK.
- *March 22, 2018:* Last day the old KSK appears in the root zone.
- *August 2018:* Old key is deleted from equipment in both ICANN Key
Management Facilities.
More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover.
We are happy to have a call with you shall you have any questions or feedback.
Thank you,
*Save vocea*
VP, Global Stakeholder Engagement, Oceania
ICANN
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
-- Kind regards,
Tarau Bauia AUT CBD Auckland, New Zealand PH: 0211343397
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
pacnog mailing list pacnog@pacnog.org https://mailman.apnic.net/mailman/listinfo/pacnog
Activity Summary
- 2014 days inactive
- 2014 days old
- pacnog@pacnog.org
- 4 participants
- 5 comments