IETF Logo Mail Archive

Re: [DNSOP] Root zone KSK-2010 is now revoked

Mehmet Akcin <mehmet@akcin.net> Fri, 11 January 2019 14:17 UTC

Return-Path: <mehmet@akcin.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E495D124BE5 for <dnsop@ietfa.amsl.com>; Fri, 11 Jan 2019 06:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akcin-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7h00Cvwsnc12 for <dnsop@ietfa.amsl.com>; Fri, 11 Jan 2019 06:17:01 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A749A1200B3 for <dnsop@ietf.org>; Fri, 11 Jan 2019 06:17:00 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id u18so10874943lff.10 for <dnsop@ietf.org>; Fri, 11 Jan 2019 06:17:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akcin-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2MePpi/RbF5cWVVWVJvly8hTPO9uxfKzxzeYk4lfvOc=; b=UB144Ef7Mrx/B6snUhaNbUdCHPRib7j87jiJaT0B0URRFfnXDsQg7rmh7Zy4GlbYIC TuoNWklItQ8om2HFaFTQLs2zR7HsyfjxQVkJKeov6lTsDMWx2Mmg8sHAOsgA0CZXFnx8 05tgZ7+m2sHEUUHdGpiDegJdbF1J2SdC+hTpHMfups1jaR4IsPkAhv7s+xZgA9f/CnAi YI4JxjfE1pDTdKSj4dmiHVxY22mnBgeqZcx3sFPQoRiNVe2X3fINpUoOHYtATGsLmK9O /s+0BXQbkkY3KN6DwpzDLcrcRgUoWmGms526MMquQQg5oyDvvbNTmL9Oc1ZKQKJQ+KXi 83Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2MePpi/RbF5cWVVWVJvly8hTPO9uxfKzxzeYk4lfvOc=; b=ZrTGh2d7ICB+7NjSLKVUkOuZOjz5x88K34nbGiOGHcyVzJEkph4o4cI2VkR4JzLYgk oFLq3+rYJEmGd6uUUzgWjUxPjzaB3mpjOIIyNWTxiVj6s3/HkFT5EbtvlkRv3yJrxeko Q7zz6LN6QDKIVKGs+P0Jr548pUuUAF2R0WQr25Onug36YcagqACIs2nWIcRS61h7TOXI XbIrN9In/7ZPpJzCztDyJ9DvwmUtsl+pVVHAA+fbisZSVxngR1zZHMFYRCAQHHn3Ejwt 3QCeM1Tb/SK+XmB8NiFTLln3QXngPwucFet60N9umR4dWBYXUxmmmMHPtCyzvj28Cew0 08+A==
X-Gm-Message-State: AJcUukdgOW4im1FPN/zgxcgfKdcHUU3D1Lo98UCP94ryMjYqerRpndgJ MZSl8WXy+zDHNdOZi/0mDvqS0B4XwduaSeRRvss1/5rb
X-Google-Smtp-Source: ALg8bN5RA+WtbA8f5E4ttExblWMsx/pJZiyEphaVby3b2Y3QrAPLRomF2HeqzsfTC8fiyUSX1T9FO3lbjnd/EbBJ6zc=
X-Received: by 2002:a19:ee08:: with SMTP id g8mr8495830lfb.72.1547216218540; Fri, 11 Jan 2019 06:16:58 -0800 (PST)
MIME-Version: 1.0
References: <536B7B2F-7C6B-4E6F-B527-2ACEC81E9B68@icann.org>
In-Reply-To: <536B7B2F-7C6B-4E6F-B527-2ACEC81E9B68@icann.org>
From: Mehmet Akcin <mehmet@akcin.net>
Date: Fri, 11 Jan 2019 09:16:47 -0500
Message-ID: <CA+LTh5UMkHfwRUDVCBsL+C8Z=FRgzhQ3iCys4DwGDsFLmoYmfA@mail.gmail.com>
To: Matt Larson <matt.larson@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018df63057f2f594a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/C3XwDBxRvvqlfj3JmLbu_oGDcYA>
Subject: Re: [DNSOP] Root zone KSK-2010 is now revoked
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 14:17:03 -0000

Great work Matt & ICANN Team!

That now officially ends my legacy in the DNS world ;-)

On Fri, Jan 11, 2019 at 9:07 AM Matt Larson <matt.larson@icann.org> wrote:

> Dear colleagues,
>
> A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone
> management partner, Verisign, published root zone serial number 2019011100
> with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has
> changed from 19036 to 19164. In addition, the root DNSKEY RRset is now
> signed with two KSKs: the current KSK (KSK-2017) as well as the former KSK
> (KSK-2010). The second signature is required by RFC 5011 to prove
> possession of KSK-2010's private key to assert the revocation. This second
> signature makes the response to a query for the root zone's DNSKEY RRset
> increase in size from 1414 bytes to 1425 bytes.
>
> We don't expect any operational issues from this change. The DNSKEY RRset
> size increase is small, and other zones currently publish considerably
> larger apex DNSKEY RRsets without apparent issue. In addition, because
> KSK-2010 has not been used for signing since the root KSK rollover to
> KSK-2017 on 11 October 2018, no DNSSEC validators that are currently
> validating correctly can be depending on it.
>
> Nevertheless, please let us know if you suspect any issues or have any
> questions.
>
> May we also suggest subscribing to ksk-rollover@icann.org to receive
> announcements and participate in discussion about the KSK rollover process
> in particular and DNSSEC in the root zone in general.
>
> For the root zone management partners,
>
> Matt
> --
> Matt Larson, VP of Research
> ICANN Office of the CTO
> matt.larson@icann.org
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email