Re: [DNSOP] Root zone KSK-2010 is now revoked
"Patrik Fältström " <paf@frobbit.se> Fri, 11 January 2019 22:43 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B94128CE4 for <dnsop@ietfa.amsl.com>; Fri, 11 Jan 2019 14:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.722
X-Spam-Level:
X-Spam-Status: No, score=-1.722 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zKGl8FyUVTy for <dnsop@ietfa.amsl.com>; Fri, 11 Jan 2019 14:43:32 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386B6128B14 for <dnsop@ietf.org>; Fri, 11 Jan 2019 14:43:32 -0800 (PST)
Received: from [10.0.0.18] (unknown [101.184.72.58]) by mail.frobbit.se (Postfix) with ESMTPSA id ED0272376B; Fri, 11 Jan 2019 23:43:25 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1547246607; bh=LoGl9LlTiPrryjFHaEtzQJpgfbJUakoU/oEOlJTeyPE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gP1Q7TkKAg3evpTMHt3TQAgG0F/uqNSiib1NUI4nkPwFH3ljrk1wozN63W1TqXqei XoIT4g2axitY47kFtWPsQsvMY2VM0PXSBs1fQ6tF2gEEPOv6zcQSFS1cn2gSh3Qhag EHRwFJ5FEfH9JoWCRuMr7qy+W2w1SRfIPsB3Sd7w=
From: Patrik Fältström <paf@frobbit.se>
To: Matt Larson <matt.larson@icann.org>
Cc: dnsop <dnsop@ietf.org>
Date: Sat, 12 Jan 2019 08:43:17 +1000
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <3FC4955E-240D-4055-ABCC-A820A31FF3F9@frobbit.se>
In-Reply-To: <536B7B2F-7C6B-4E6F-B527-2ACEC81E9B68@icann.org>
References: <536B7B2F-7C6B-4E6F-B527-2ACEC81E9B68@icann.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_9C6A450F-C4A9-4428-B930-FFF706529D6F_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_gNTYIsjGp0LUeFuwDczUyraLe4>
Subject: Re: [DNSOP] Root zone KSK-2010 is now revoked
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 22:43:34 -0000
Well done Matt and others! Appreciate your work! Patrik On 12 Jan 2019, at 0:07, Matt Larson wrote: > Dear colleagues, > > A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone management partner, Verisign, published root zone serial number 2019011100 with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has changed from 19036 to 19164. In addition, the root DNSKEY RRset is now signed with two KSKs: the current KSK (KSK-2017) as well as the former KSK (KSK-2010). The second signature is required by RFC 5011 to prove possession of KSK-2010's private key to assert the revocation. This second signature makes the response to a query for the root zone's DNSKEY RRset increase in size from 1414 bytes to 1425 bytes. > > We don't expect any operational issues from this change. The DNSKEY RRset size increase is small, and other zones currently publish considerably larger apex DNSKEY RRsets without apparent issue. In addition, because KSK-2010 has not been used for signing since the root KSK rollover to KSK-2017 on 11 October 2018, no DNSSEC validators that are currently validating correctly can be depending on it. > > Nevertheless, please let us know if you suspect any issues or have any questions. > > May we also suggest subscribing to ksk-rollover@icann.org to receive announcements and participate in discussion about the KSK rollover process in particular and DNSSEC in the root zone in general. > > For the root zone management partners, > > Matt > -- > Matt Larson, VP of Research > ICANN Office of the CTO > matt.larson@icann.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Root zone KSK-2010 is now revoked Matt Larson
- Re: [DNSOP] Root zone KSK-2010 is now revoked Mehmet Akcin
- Re: [DNSOP] Root zone KSK-2010 is now revoked Patrik Fältström
- Re: [DNSOP] Root zone KSK-2010 is now revoked Loganaden Velvindron